type Config struct {
CA struct {
cmd.ServiceConfig
cmd.HostnamePolicyConfig
GRPCCA *cmd.GRPCServerConfig
SAService *cmd.GRPCClientConfig
// Issuance contains all information necessary to load and initialize issuers.
Issuance struct {
Profile issuance.ProfileConfig
Issuers []issuance.IssuerConfig `validate:"min=1,dive"`
IgnoredLints []string
}
// How long issued certificates are valid for.
Expiry config.Duration
// How far back certificates should be backdated.
Backdate config.Duration
// What digits we should prepend to serials after randomly generating them.
SerialPrefix int `validate:"required,min=1,max=255"`
// The maximum number of subjectAltNames in a single certificate
MaxNames int `validate:"required,min=1,max=100"`
// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
// Section 4.9.10, it MUST NOT be more than 10 days.
LifespanOCSP config.Duration
// LifespanCRL is how long CRLs are valid for. It should be longer than the
// `period` field of the CRL Updater. Per the BRs, Section 4.9.7, it MUST
// NOT be more than 10 days.
LifespanCRL config.Duration
// GoodKey is an embedded config stanza for the goodkey library.
GoodKey goodkey.Config
// Maximum length (in bytes) of a line accumulating OCSP audit log entries.
// Recommended to be around 4000. If this is 0, do not perform OCSP audit
// logging.
OCSPLogMaxLength int
// Maximum period (in Go duration format) to wait to accumulate a max-length
// OCSP audit log line. We will emit a log line at least once per period,
// if there is anything to be logged. Keeping this low minimizes the risk
// of losing logs during a catastrophic failure. Making it too high
// means logging more often than necessary, which is inefficient in terms
// of bytes and log system resources.
// Recommended to be around 500ms.
OCSPLogPeriod config.Duration
// Path of a YAML file containing the list of int64 RegIDs
// allowed to request ECDSA issuance
ECDSAAllowListFilename string
// CTLogListFile is the path to a JSON file on disk containing the set of
// all logs trusted by Chrome. The file must match the v3 log list schema:
// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
CTLogListFile string
// CRLDPBase is the piece of the CRL Distribution Point URI which is common
// across all issuers and shards. It must use the http:// scheme, and must
// not end with a slash. Example: "http://prod.c.lencr.org".
CRLDPBase string `validate:"required,url,startswith=http://,endsnotwith=/"`
// DisableCertService causes the CertificateAuthority gRPC service to not
// start, preventing any certificates or precertificates from being issued.
DisableCertService bool
// DisableCertService causes the OCSPGenerator gRPC service to not start,
// preventing any OCSP responses from being issued.
DisableOCSPService bool
// DisableCRLService causes the CRLGenerator gRPC service to not start,
// preventing any CRLs from being issued.
DisableCRLService bool
Features map[string]bool
}
PA cmd.PAConfig
Syslog cmd.SyslogConfig
OpenTelemetry cmd.OpenTelemetryConfig
}