github.com/letsencrypt/boulder@v0.20251208.0/docs/ISSUANCE-CYCLE.md

github.com/letsencrypt/boulder@v0.20251208.0/docs/ISSUANCE-CYCLE.md (about)

     1  # The Issuance Cycle
     2  
     3  What happens during an ACME finalize request?
     4  
     5  At a high level:
     6  
     7  1. Check that all authorizations are good.
     8  2. Recheck CAA for hostnames that need it.
     9  3. Allocate and store a serial number.
    10  4. Select a certificate profile.
    11  5. Generate and store linting precertificate.
    12  6. Sign, log (and don't store) precertificate.
    13  7. Submit precertificate to CT.
    14  8. Generate linting final certificate. Not logged or stored.
    15  9. Sign, log, and store final certificate.
    16  
    17  Revocation can happen at any time after (5), whether or not step (6) was successful. We do things this way so that even in the event of a power failure or error storing data, we have a record of what we planned to sign (the tbsCertificate bytes of the linting certificate).
    18  
    19  Note that to avoid needing a migration, we chose to store the linting certificate from (5) in the "precertificates" table, which is now a bit of a misnomer.