syntax = "proto3"; package ca; option go_package = "github.com/letsencrypt/boulder/ca/proto"; import "core/proto/core.proto"; import "google/protobuf/timestamp.proto"; // CertificateAuthority issues certificates. service CertificateAuthority { rpc IssuePrecertificate(IssueCertificateRequest) returns (IssuePrecertificateResponse) {} rpc IssueCertificateForPrecertificate(IssueCertificateForPrecertificateRequest) returns (core.Certificate) {} } message IssueCertificateRequest { bytes csr = 1; int64 registrationID = 2; int64 orderID = 3; int64 issuerNameID = 4; } message IssuePrecertificateResponse { bytes DER = 1; } message IssueCertificateForPrecertificateRequest { bytes DER = 1; repeated bytes SCTs = 2; int64 registrationID = 3; int64 orderID = 4; } // OCSPGenerator generates OCSP. We separate this out from // CertificateAuthority so that we can restrict access to a different subset of // hosts, so the hosts that need to request OCSP generation don't need to be // able to request certificate issuance. service OCSPGenerator { rpc GenerateOCSP(GenerateOCSPRequest) returns (OCSPResponse) {} } // Exactly one of certDER or [serial and issuerID] must be set. message GenerateOCSPRequest { // Next unused field number: 8 string status = 2; int32 reason = 3; int64 revokedAtNS = 4; // Unix timestamp (nanoseconds) google.protobuf.Timestamp revokedAt = 7; string serial = 5; int64 issuerID = 6; } message OCSPResponse { bytes response = 1; } // CRLGenerator signs CRLs. It is separated for the same reason as OCSPGenerator. service CRLGenerator { rpc GenerateCRL(stream GenerateCRLRequest) returns (stream GenerateCRLResponse) {} } message GenerateCRLRequest { oneof payload { CRLMetadata metadata = 1; core.CRLEntry entry = 2; } } message CRLMetadata { // Next unused field number: 5 int64 issuerNameID = 1; int64 thisUpdateNS = 2; // Unix timestamp (nanoseconds), also used for CRLNumber. google.protobuf.Timestamp thisUpdate = 4; int64 shardIdx = 3; } message GenerateCRLResponse { bytes chunk = 1; }