letsencrypt
admin: generate list of SHA-256 fingerprints for an incident table
The admin tool should be able to generate a list of SHA-256 fingerprints over the certificates described in an incident table.
This would be particularly useful for compliance incidents, because we usually need to provide a list of crt.sh or Censys links describing the entire corpus of affected certificates, which are best constructed using the SHA-256 hash.
Based on the current proposed update to the incident reporting guidelines and template, we're going to need the admin tool to generate a lot more than just the sha256:
In the case of incidents that directly impact certificates, the Appendix MUST include a comma separated listing of certificate details of all affected certificates and include the following fields for each:
| Field | Description |
|---|---|
| Pre-certificate SHA-256 hash | A SHA-256 hash of the DER encoded pre-certificate. |
| Certificate SHA-256 hash | A SHA-256 hash of the DER encoded certificate. |
| Subject | The Subject field of the Certificate. |
| Issuer | The Issuer field of the Certificate. |
| Not before | The notBefore field of the Certificate. |
| Not after | The notAfter field of the Certificate. |
| Serial # | The Serial Number field of the Certificate, in hex. |
| Is revoked? | "Yes", "Planned","Delayed", or "N/A" (for expired) |
| Revocation date | Actual Date, Planned Date, or "N/A" |
| Revocation reason | The reasonCode corresponding with the Certificate's entry on the CRL. |
