-
Type:
New Feature
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EJBCA 6.14.0
-
Fix Version/s: EJBCA 6.14.0
-
Component/s: None
-
Epic Link:
-
Sprint:EJBCA Sprint 17
The spec says:
caaIdentities (optional, array of string): Each string MUST be a
lowercase hostname which the ACME server recognizes as referring
to itself for the purposes of CAA record validation as defined in
[RFC6844]. This allows clients to determine the correct issuer
domain name to use when configuring CAA records.
The CAA identities are hardcoded to a dummy value:
public List<String> getCaaIdentities() { return new ArrayList<String>(Arrays.asList("ca.example.com")); }
Instead, the CAA identities should be taken from the corresponding CAA validator, or (perhaps easier) be specified as a setting per ACME alias.
{ "newNonce": "https://nautilus:8443/ejbca/acme/newNonce", "newAccount": "https://nautilus:8443/ejbca/acme/newAccount", "newOrder": "https://nautilus:8443/ejbca/acme/newOrder", "newAuthz": "https://nautilus:8443/ejbca/acme/newAuthz", "revokeCert": "https://nautilus:8443/ejbca/acme/revokeCert", "keyChange": "https://nautilus:8443/ejbca/acme/keyChange", "meta": { "termsOfService": "https://footrust.com/acme/terms", "website": "https://footrust.com", "caaIdentities": [ "pki.stormhub.org", "footrust.com" ], "externalAccountRequired": false } }