[Pki-devel] ACME certificate IDs
Fraser Tweedale
ftweedal at redhat.com
Tue Mar 17 06:38:38 UTC 2020
Hi Endi,
Just want to quickly discuss certificate IDs.
Currently on ACMEBackend interface we have
public BigInteger issueCertificate(String csr);
I think this is a bit of a problem. e.g. Dogtag currently supports
multiple issuers (LWCAs). It is incidental that serial numbers do
not collide. This might not hold for other backends. Yet we need
the certificate ID to uniquely identify the certificate, so that we
can retrieve it, revoke it, etc.
I suggest changing the return value to a string (which is how it
gets stored in the ACMEOrder object anyway).
I'd further suggest that by convention, where possible, the string
be a representation of issuer+serial, which is a bit nicer for
humans looking at the stored objects than a base64url-encoded
big-endian bigint.
What do you think?
Cheers,
Fraser
More information about the Pki-devel
mailing list