Complete M1, M1.1, M2: end-to-end lifecycle, agent deployment, ACME v2

- Wire issuer connector end-to-end with IssuerConnectorAdapter (dependency inversion)
- Renewal/issuance job processor: RSA key + CSR generation, Local CA signing, cert version storage
- Agent work API (GET /agents/{id}/work) and job status API (POST /agents/{id}/jobs/{job_id}/status)
- Agent-side deployment: WorkItem enrichment with target type/config, NGINX/F5/IIS connector invocation
- Full ACME v2 implementation: HTTP-01 challenge solving, account registration, order lifecycle
- Update all docs (README, architecture, connectors, demo-advanced, quickstart) for M1-M2
- Fix go vet warning in deployment.go (non-constant format string)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/agent.go

@@ -17,6 +17,7 @@ type AgentService struct {
 	agentRepo       repository.AgentRepository
 	certRepo        repository.CertificateRepository
 	jobRepo         repository.JobRepository
+	targetRepo      repository.TargetRepository
 	auditService    *AuditService
 	issuerRegistry  map[string]IssuerConnector
 }
@@ -26,6 +27,7 @@ func NewAgentService(
 	agentRepo repository.AgentRepository,
 	certRepo repository.CertificateRepository,
 	jobRepo repository.JobRepository,
+	targetRepo repository.TargetRepository,
 	auditService *AuditService,
 	issuerRegistry map[string]IssuerConnector,
 ) *AgentService {
@@ -33,6 +35,7 @@ func NewAgentService(
 		agentRepo:      agentRepo,
 		certRepo:       certRepo,
 		jobRepo:        jobRepo,
+		targetRepo:     targetRepo,
 		auditService:   auditService,
 		issuerRegistry: issuerRegistry,
 	}
@@ -103,6 +106,8 @@ func (s *AgentService) Heartbeat(agentID string) error {
 }
 
 // SubmitCSR validates and processes a Certificate Signing Request from an agent.
+// It forwards the CSR to the appropriate issuer connector for signing, then stores
+// the resulting certificate version.
 func (s *AgentService) SubmitCSR(ctx context.Context, agentID string, certID string, csrPEM []byte) error {
 	// Fetch agent
 	agent, err := s.agentRepo.Get(ctx, agentID)
@@ -110,16 +115,54 @@ func (s *AgentService) SubmitCSR(ctx context.Context, agentID string, certID str
 		return fmt.Errorf("failed to fetch agent: %w", err)
 	}
 
-	// Validate CSR format (basic check)
+	// Validate CSR format
 	if len(csrPEM) == 0 {
 		return fmt.Errorf("invalid CSR: empty")
 	}
 
-	// In production, parse and validate the CSR signature and CN here
-	// For now, accept and proceed
+	// If a certificate ID is provided, sign the CSR via the issuer connector
+	if certID != "" {
+		cert, err := s.certRepo.Get(ctx, certID)
+		if err != nil {
+			return fmt.Errorf("failed to fetch certificate: %w", err)
+		}
 
-	// In a production system, we'd store the CSR in a certificate version or metadata
-	// For now, we just validate and accept it
+		// Look up the issuer connector
+		connector, ok := s.issuerRegistry[cert.IssuerID]
+		if ok {
+			// Sign the CSR via the issuer connector
+			result, err := connector.IssueCertificate(ctx, cert.CommonName, cert.SANs, string(csrPEM))
+			if err != nil {
+				return fmt.Errorf("issuer signing failed: %w", err)
+			}
+
+			// Store the signed certificate as a new version
+			version := &domain.CertificateVersion{
+				ID:                generateID("certver"),
+				CertificateID:    certID,
+				SerialNumber:     result.Serial,
+				NotBefore:        result.NotBefore,
+				NotAfter:         result.NotAfter,
+				PEMChain:         result.CertPEM + "\n" + result.ChainPEM,
+				CSRPEM:           string(csrPEM),
+				CreatedAt:        time.Now(),
+			}
+
+			if err := s.certRepo.CreateVersion(ctx, version); err != nil {
+				return fmt.Errorf("failed to store certificate version: %w", err)
+			}
+
+			// Update certificate status and expiry
+			cert.Status = domain.CertificateStatusActive
+			cert.ExpiresAt = result.NotAfter
+			now := time.Now()
+			cert.LastRenewalAt = &now
+			cert.UpdatedAt = now
+			if err := s.certRepo.Update(ctx, cert); err != nil {
+				fmt.Printf("failed to update certificate: %v\n", err)
+			}
+		}
+	}
 
 	// Record audit event
 	if err := s.auditService.RecordEvent(ctx, agent.ID, domain.ActorTypeAgent,
@@ -305,14 +348,78 @@ func (s *AgentService) RegisterAgent(agent domain.Agent) (*domain.Agent, error)
 }
 
 // CSRSubmit processes a CSR submission from an agent (handler interface method).
+// The csrPEM parameter contains "certID:csrPEM" or just the CSR PEM.
 func (s *AgentService) CSRSubmit(agentID string, csrPEM string) (string, error) {
-	// For the handler interface, we accept the CSR as a string
 	err := s.SubmitCSR(context.Background(), agentID, "", []byte(csrPEM))
 	if err != nil {
 		return "", err
 	}
-	// Return the CSR as acknowledgment
-	return csrPEM, nil
+	return "csr_accepted", nil
+}
+
+// CSRSubmitForCert processes a CSR submission for a specific certificate (handler interface method).
+func (s *AgentService) CSRSubmitForCert(agentID string, certID string, csrPEM string) (string, error) {
+	err := s.SubmitCSR(context.Background(), agentID, certID, []byte(csrPEM))
+	if err != nil {
+		return "", err
+	}
+	return "csr_signed", nil
+}
+
+// GetWork returns pending deployment jobs for an agent (handler interface method).
+func (s *AgentService) GetWork(agentID string) ([]domain.Job, error) {
+	jobs, err := s.GetPendingWork(context.Background(), agentID)
+	if err != nil {
+		return nil, err
+	}
+	var result []domain.Job
+	for _, j := range jobs {
+		if j != nil {
+			result = append(result, *j)
+		}
+	}
+	return result, nil
+}
+
+// GetWorkWithTargets returns pending deployment jobs enriched with target type and config.
+// This allows agents to know which connector to invoke for each deployment job.
+func (s *AgentService) GetWorkWithTargets(agentID string) ([]domain.WorkItem, error) {
+	jobs, err := s.GetPendingWork(context.Background(), agentID)
+	if err != nil {
+		return nil, err
+	}
+
+	var items []domain.WorkItem
+	for _, j := range jobs {
+		if j == nil {
+			continue
+		}
+		item := domain.WorkItem{
+			ID:            j.ID,
+			Type:          j.Type,
+			CertificateID: j.CertificateID,
+			TargetID:      j.TargetID,
+			Status:        j.Status,
+		}
+
+		// Enrich with target details if target ID is present
+		if j.TargetID != nil && *j.TargetID != "" {
+			target, err := s.targetRepo.Get(context.Background(), *j.TargetID)
+			if err == nil {
+				item.TargetType = string(target.Type)
+				item.TargetConfig = target.Config
+			}
+		}
+
+		items = append(items, item)
+	}
+
+	return items, nil
+}
+
+// UpdateJobStatus reports a job's status from an agent (handler interface method).
+func (s *AgentService) UpdateJobStatus(agentID string, jobID string, status string, errMsg string) error {
+	return s.ReportJobStatus(context.Background(), agentID, jobID, domain.JobStatus(status), errMsg)
 }
 
 // CertificatePickup retrieves a certificate for an agent (handler interface method).

internal/service/deployment.go

@@ -279,7 +279,7 @@ func (s *DeploymentService) MarkDeploymentFailed(ctx context.Context, jobID stri
 		}
 
 		// Send deployment failure notification
-		if err := s.notificationSvc.SendDeploymentNotification(ctx, cert, target, false, fmt.Errorf(errMsg)); err != nil {
+		if err := s.notificationSvc.SendDeploymentNotification(ctx, cert, target, false, fmt.Errorf("%s", errMsg)); err != nil {
 			fmt.Printf("failed to send deployment notification: %v\n", err)
 		}
 	}

internal/service/issuer_adapter.go

@@ -0,0 +1,59 @@
+package service
+
+import (
+	"context"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+)
+
+// IssuerConnectorAdapter bridges the connector-layer issuer.Connector interface with the
+// service-layer IssuerConnector interface. This maintains dependency inversion: the service
+// layer defines the interface it needs, and this adapter wraps the concrete connector.
+type IssuerConnectorAdapter struct {
+	connector issuer.Connector
+}
+
+// NewIssuerConnectorAdapter wraps an issuer.Connector to implement service.IssuerConnector.
+func NewIssuerConnectorAdapter(c issuer.Connector) IssuerConnector {
+	return &IssuerConnectorAdapter{connector: c}
+}
+
+// IssueCertificate delegates to the underlying connector's IssueCertificate method,
+// translating between service-layer and connector-layer types.
+func (a *IssuerConnectorAdapter) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string) (*IssuanceResult, error) {
+	result, err := a.connector.IssueCertificate(ctx, issuer.IssuanceRequest{
+		CommonName: commonName,
+		SANs:       sans,
+		CSRPEM:     csrPEM,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &IssuanceResult{
+		CertPEM:   result.CertPEM,
+		ChainPEM:  result.ChainPEM,
+		Serial:    result.Serial,
+		NotBefore: result.NotBefore,
+		NotAfter:  result.NotAfter,
+	}, nil
+}
+
+// RenewCertificate delegates to the underlying connector's RenewCertificate method,
+// translating between service-layer and connector-layer types.
+func (a *IssuerConnectorAdapter) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string) (*IssuanceResult, error) {
+	result, err := a.connector.RenewCertificate(ctx, issuer.RenewalRequest{
+		CommonName: commonName,
+		SANs:       sans,
+		CSRPEM:     csrPEM,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &IssuanceResult{
+		CertPEM:   result.CertPEM,
+		ChainPEM:  result.ChainPEM,
+		Serial:    result.Serial,
+		NotBefore: result.NotBefore,
+		NotAfter:  result.NotAfter,
+	}, nil
+}

internal/service/job.go

@@ -95,22 +95,15 @@ func (s *JobService) processJob(ctx context.Context, job *domain.Job) error {
 }
 
 // processIssuanceJob handles a certificate issuance job.
-// This is a placeholder that documents the flow.
-// TODO: Implement actual issuance job processing if needed.
+// It reuses the renewal service's ProcessRenewalJob since the flow is identical:
+// generate key → create CSR → call issuer → store version → create deployment jobs.
+// The only difference is semantics (new cert vs renewed cert), not mechanics.
 func (s *JobService) processIssuanceJob(ctx context.Context, job *domain.Job) error {
 	s.logger.Debug("processing issuance job", "job_id", job.ID)
 
-	// TODO: Implement issuance job processing
-	// In production:
-	//   1. Fetch the certificate
-	//   2. Fetch the issuer
-	//   3. Generate or retrieve CSR
-	//   4. Call issuer to issue new certificate
-	//   5. Create certificate version
-	//   6. Update certificate status
-	//   7. Mark job as completed
-
-	return fmt.Errorf("issuance job processing not yet implemented")
+	// Issuance follows the same code path as renewal for the Local CA:
+	// generate server-side key + CSR → sign via issuer → store cert version → deploy
+	return s.renewalService.ProcessRenewalJob(ctx, job)
 }
 
 // processValidationJob handles a certificate validation job.

internal/service/renewal.go

@@ -2,6 +2,13 @@ package service
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"time"
 
@@ -11,19 +18,30 @@ import (
 
 // RenewalService manages certificate renewal workflows.
 type RenewalService struct {
-	certRepo         repository.CertificateRepository
-	jobRepo          repository.JobRepository
-	auditService     *AuditService
-	notificationSvc  *NotificationService
-	issuerRegistry   map[string]IssuerConnector
+	certRepo        repository.CertificateRepository
+	jobRepo         repository.JobRepository
+	auditService    *AuditService
+	notificationSvc *NotificationService
+	issuerRegistry  map[string]IssuerConnector
 }
 
-// IssuerConnector defines the interface for interacting with certificate issuers.
+// IssuerConnector defines the service-layer interface for interacting with certificate issuers.
+// This is distinct from the connector-layer issuer.Connector interface to maintain dependency
+// inversion. Use IssuerConnectorAdapter to bridge between the two.
 type IssuerConnector interface {
-	// RenewCertificate renews a certificate and returns the new certificate PEM.
-	RenewCertificate(ctx context.Context, csr []byte) ([]byte, error)
-	// GetCertificateChain returns the issuer's certificate chain.
-	GetCertificateChain(ctx context.Context) ([]byte, error)
+	// IssueCertificate issues a new certificate using the provided CSR PEM.
+	IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string) (*IssuanceResult, error)
+	// RenewCertificate renews a certificate using the provided CSR PEM.
+	RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string) (*IssuanceResult, error)
+}
+
+// IssuanceResult holds the result of a certificate issuance or renewal operation.
+type IssuanceResult struct {
+	CertPEM   string
+	ChainPEM  string
+	Serial    string
+	NotBefore time.Time
+	NotAfter  time.Time
 }
 
 // NewRenewalService creates a new renewal service.
@@ -72,12 +90,29 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 			continue
 		}
 
+		// Check for existing pending/running renewal jobs to avoid duplicates
+		existingJobs, err := s.jobRepo.ListByCertificate(ctx, cert.ID)
+		if err == nil {
+			hasActiveRenewal := false
+			for _, j := range existingJobs {
+				if j.Type == domain.JobTypeRenewal &&
+					(j.Status == domain.JobStatusPending || j.Status == domain.JobStatusRunning) {
+					hasActiveRenewal = true
+					break
+				}
+			}
+			if hasActiveRenewal {
+				continue
+			}
+		}
+
 		// Create renewal job
 		job := &domain.Job{
 			ID:            generateID("job"),
 			CertificateID: cert.ID,
 			Type:          domain.JobTypeRenewal,
 			Status:        domain.JobStatusPending,
+			MaxAttempts:   3,
 			ScheduledAt:   time.Now(),
 			CreatedAt:     time.Now(),
 		}
@@ -87,6 +122,12 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 			continue
 		}
 
+		// Update certificate status to RenewalInProgress
+		cert.Status = domain.CertificateStatusRenewalInProgress
+		if err := s.certRepo.Update(ctx, cert); err != nil {
+			fmt.Printf("failed to update cert status for %s: %v\n", cert.ID, err)
+		}
+
 		// Record audit event
 		_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
 			"renewal_job_created", "certificate", cert.ID,
@@ -96,7 +137,13 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 	return nil
 }
 
-// ProcessRenewalJob executes a renewal job: call issuer, store new version, update cert status.
+// ProcessRenewalJob executes a renewal job: generate CSR, call issuer, store new version,
+// update cert status, and create deployment jobs for targets.
+//
+// V1 Architecture Note: For the Local CA issuer, the control plane generates a server-side
+// ephemeral key + CSR. The private key is stored in the CertificateVersion.CSRPEM field
+// so agents can retrieve it for deployment. In V2+ with ACME/external CAs, agents will
+// generate keys locally and submit CSRs, so private keys never leave the target infrastructure.
 func (s *RenewalService) ProcessRenewalJob(ctx context.Context, job *domain.Job) error {
 	// Update job status to in-progress
 	if err := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusRunning, ""); err != nil {
@@ -106,40 +153,59 @@ func (s *RenewalService) ProcessRenewalJob(ctx context.Context, job *domain.Job)
 	// Fetch certificate
 	cert, err := s.certRepo.Get(ctx, job.CertificateID)
 	if err != nil {
-		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("certificate fetch failed: %v", err))
-		if updateErr != nil {
-			fmt.Printf("failed to update job status: %v\n", updateErr)
-		}
+		s.failJob(ctx, job, fmt.Sprintf("certificate fetch failed: %v", err))
 		return fmt.Errorf("failed to fetch certificate: %w", err)
 	}
 
 	// Get issuer connector
 	issuerID := cert.IssuerID
 	if issuerID == "" {
+		s.failJob(ctx, job, "certificate has no issuer assigned")
 		return fmt.Errorf("certificate has no issuer assigned")
 	}
 
 	connector, ok := s.issuerRegistry[issuerID]
 	if !ok {
-		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed,
-			fmt.Sprintf("issuer connector not found for %s", issuerID))
-		if updateErr != nil {
-			fmt.Printf("failed to update job status: %v\n", updateErr)
-		}
+		s.failJob(ctx, job, fmt.Sprintf("issuer connector not found for %s", issuerID))
 		return fmt.Errorf("issuer connector not found for %s", issuerID)
 	}
 
-	// TODO: In production, fetch CSR from agent or generate new CSR
-	// For now, we'd use cert.CSR or generate a new one from the private key
-	csr := []byte{} // placeholder
-
-	// Call issuer to renew
-	certPEM, err := connector.RenewCertificate(ctx, csr)
+	// Generate server-side RSA key + CSR for this renewal
+	// V1: server generates ephemeral key for Local CA. V2+: agent generates key locally.
+	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("issuer renewal failed: %v", err))
-		if updateErr != nil {
-			fmt.Printf("failed to update job status: %v\n", updateErr)
-		}
+		s.failJob(ctx, job, fmt.Sprintf("key generation failed: %v", err))
+		return fmt.Errorf("failed to generate private key: %w", err)
+	}
+
+	csrTemplate := &x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: cert.CommonName,
+		},
+		DNSNames: cert.SANs,
+	}
+
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
+	if err != nil {
+		s.failJob(ctx, job, fmt.Sprintf("CSR generation failed: %v", err))
+		return fmt.Errorf("failed to generate CSR: %w", err)
+	}
+
+	csrPEM := string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrDER,
+	}))
+
+	// Encode private key to PEM for storage (V1: stored so agent can retrieve for deployment)
+	privKeyPEM := string(pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privKey),
+	}))
+
+	// Call issuer connector to renew
+	result, err := connector.RenewCertificate(ctx, cert.CommonName, cert.SANs, csrPEM)
+	if err != nil {
+		s.failJob(ctx, job, fmt.Sprintf("issuer renewal failed: %v", err))
 
 		// Send failure notification
 		_ = s.notificationSvc.SendRenewalNotification(ctx, cert, false, err)
@@ -152,38 +218,63 @@ func (s *RenewalService) ProcessRenewalJob(ctx context.Context, job *domain.Job)
 		return fmt.Errorf("issuer renewal failed: %w", err)
 	}
 
+	// Compute SHA-256 fingerprint of the issued certificate
+	fingerprint := computeCertFingerprint(result.CertPEM)
+
 	// Create new certificate version
 	version := &domain.CertificateVersion{
-		ID:            generateID("certver"),
-		CertificateID: job.CertificateID,
-		SerialNumber:  fmt.Sprintf("renewed-%d", time.Now().Unix()),
-		PEMChain:      string(certPEM),
-		CreatedAt:     time.Now(),
+		ID:                generateID("certver"),
+		CertificateID:    job.CertificateID,
+		SerialNumber:     result.Serial,
+		NotBefore:        result.NotBefore,
+		NotAfter:         result.NotAfter,
+		FingerprintSHA256: fingerprint,
+		PEMChain:         result.CertPEM + "\n" + result.ChainPEM,
+		CSRPEM:           privKeyPEM, // V1: stores private key for agent deployment
+		CreatedAt:        time.Now(),
 	}
 
 	if err := s.certRepo.CreateVersion(ctx, version); err != nil {
-		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("version creation failed: %v", err))
-		if updateErr != nil {
-			fmt.Printf("failed to update job status: %v\n", updateErr)
-		}
+		s.failJob(ctx, job, fmt.Sprintf("version creation failed: %v", err))
 		return fmt.Errorf("failed to create certificate version: %w", err)
 	}
 
-	// Update certificate status
+	// Update certificate status and expiry
 	cert.Status = domain.CertificateStatusActive
+	cert.ExpiresAt = result.NotAfter
+	now := time.Now()
+	cert.LastRenewalAt = &now
+	cert.UpdatedAt = now
 	if err := s.certRepo.Update(ctx, cert); err != nil {
-		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("cert update failed: %v", err))
-		if updateErr != nil {
-			fmt.Printf("failed to update job status: %v\n", updateErr)
-		}
+		s.failJob(ctx, job, fmt.Sprintf("cert update failed: %v", err))
 		return fmt.Errorf("failed to update certificate: %w", err)
 	}
 
-	// Mark job as completed
+	// Mark renewal job as completed
 	if err := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusCompleted, ""); err != nil {
 		return fmt.Errorf("failed to update job status: %w", err)
 	}
 
+	// Create deployment jobs for each target
+	if len(cert.TargetIDs) > 0 {
+		for _, targetID := range cert.TargetIDs {
+			tid := targetID // capture loop variable
+			deployJob := &domain.Job{
+				ID:            generateID("job"),
+				CertificateID: cert.ID,
+				Type:          domain.JobTypeDeployment,
+				Status:        domain.JobStatusPending,
+				TargetID:      &tid,
+				MaxAttempts:   3,
+				ScheduledAt:   time.Now(),
+				CreatedAt:     time.Now(),
+			}
+			if err := s.jobRepo.Create(ctx, deployJob); err != nil {
+				fmt.Printf("failed to create deployment job for target %s: %v\n", targetID, err)
+			}
+		}
+	}
+
 	// Send success notification
 	if err := s.notificationSvc.SendRenewalNotification(ctx, cert, true, nil); err != nil {
 		fmt.Printf("failed to send renewal notification: %v\n", err)
@@ -192,12 +283,33 @@ func (s *RenewalService) ProcessRenewalJob(ctx context.Context, job *domain.Job)
 	// Record audit event
 	_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
 		"renewal_job_completed", "certificate", job.CertificateID,
-		map[string]interface{}{"job_id": job.ID, "serial": version.SerialNumber})
+		map[string]interface{}{
+			"job_id":    job.ID,
+			"serial":    result.Serial,
+			"not_after": result.NotAfter,
+		})
 
 	return nil
 }
 
-// Retry attempts to reprocess failed renewal jobs with exponential backoff.
+// failJob is a helper to mark a job as failed with an error message.
+func (s *RenewalService) failJob(ctx context.Context, job *domain.Job, errMsg string) {
+	if updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, errMsg); updateErr != nil {
+		fmt.Printf("failed to update job status: %v\n", updateErr)
+	}
+}
+
+// computeCertFingerprint computes the SHA-256 fingerprint of a PEM-encoded certificate.
+func computeCertFingerprint(certPEM string) string {
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		return ""
+	}
+	hash := sha256.Sum256(block.Bytes)
+	return hex.EncodeToString(hash[:])
+}
+
+// RetryFailedJobs resets failed renewal jobs for retry if they haven't exceeded max attempts.
 func (s *RenewalService) RetryFailedJobs(ctx context.Context, maxRetries int) error {
 	failedJobs, err := s.jobRepo.ListByStatus(ctx, domain.JobStatusFailed)
 	if err != nil {