Currently, EJBCA caches SCTs in memory only. In addition to this, we should also store SCTs in a database table to prevent duplicate submissions (which is an idempotent operation, so this is mostly a performance and reliability improvement).
If this feature is used together with the CTCustomPublisher, it should be possible to pre-fetch SCTs, so the OCSP responder doesn't need any contact to the CT logs at all.
To be done:
- Create new database table in EJBCA, for storing the SCTs for each certificate.
- Make EJBCA use the new database table in addition to the existing in-memory cache, for storing SCTs.
- New configuration option for how to handle missing certificates (return 'unknown' status with short cache header)
- Document how to use Publishers to fetch SCTs automatically after certificates are issued.
- New "CT Publisher Worker" to automatically submit any certificates that don't have enough SCTs
- Add a note in UPGRADE document
Don't forget that the stored SCTs should be rechached and pruned when changes of the CT Logs configuration occurs, as new logs may appear while others become invalidated.