Details
-
Type:
New Feature
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EJBCA 6.14.0
-
Fix Version/s: EJBCA 6.14.0
-
Component/s: None
-
Epic Link:
-
Sprint:EJBCA Sprint 17
Description
The spec says:
caaIdentities (optional, array of string): Each string MUST be a
lowercase hostname which the ACME server recognizes as referring
to itself for the purposes of CAA record validation as defined in
[RFC6844]. This allows clients to determine the correct issuer
domain name to use when configuring CAA records.
The CAA identities are hardcoded to a dummy value:
public List<String> getCaaIdentities() { return new ArrayList<String>(Arrays.asList("ca.example.com")); }
Instead, the CAA identities should be taken from the corresponding CAA validator, or (perhaps easier) be specified as a setting per ACME alias.
{
"newNonce": "https://nautilus:8443/ejbca/acme/newNonce",
"newAccount": "https://nautilus:8443/ejbca/acme/newAccount",
"newOrder": "https://nautilus:8443/ejbca/acme/newOrder",
"newAuthz": "https://nautilus:8443/ejbca/acme/newAuthz",
"revokeCert": "https://nautilus:8443/ejbca/acme/revokeCert",
"keyChange": "https://nautilus:8443/ejbca/acme/keyChange",
"meta": {
"termsOfService": "https://footrust.com/acme/terms",
"website": "https://footrust.com",
"caaIdentities": [
"pki.stormhub.org",
"footrust.com"
],
"externalAccountRequired": false
}
}
