crl/ocsp: POST OCSP endpoint (RFC 6960 §A.1.1) + cache integration

Phase 4 (final phase) of the CRL/OCSP responder bundle. Closes the
backend slice; HTTP layer is now production-ready for relying parties.

What landed:

  * POST /.well-known/pki/ocsp/{issuer_id} (handler.HandleOCSPPost)
    - Accepts binary application/ocsp-request body per RFC 6960 §A.1.1
    - Tolerant of missing Content-Type (some clients omit); validates
      via ocsp.ParseRequest, returns 400 on malformed
    - Returns 415 on explicit wrong Content-Type
    - Reuses the existing service path (h.svc.GetOCSPResponse) — the
      only new logic is body decoding + serial-from-OCSPRequest extraction
    - GET form preserved unchanged for ad-hoc curl + human URL paths
    - Auth-exempt under /.well-known/pki/ prefix (already in
      AuthExemptDispatchPrefixes — no router changes for that)
    - 7 new tests: success, method-not-allowed, wrong content-type,
      missing content-type accepted, malformed body, missing issuer,
      service error propagation

  * router.go: r.Register("POST /.well-known/pki/ocsp/{issuer_id}", ...)

  * CertificateService.GenerateDERCRL — cache-aware:
    - New SetCRLCacheSvc(svc) setter (matches existing SetCAOperationsSvc
      pattern — optional dep)
    - When wired, GenerateDERCRL calls crlCacheSvc.Get → cheap DB read
      on cache hit, singleflight-coalesced regen on miss
    - When unwired, falls back to historical caSvc.GenerateDERCRL path
    - GET /.well-known/pki/crl/{issuer_id} handler unchanged — calls
      the same service method, gets cache benefit transparently when
      the cache service is wired in cmd/server/main.go

Coverage: handler 79.8% (floor 75), service unchanged, scheduler 78%.

What's deferred (intentional scope cut for this session):

  * cmd/server/main.go wiring of CRLCacheService + responder service
    setters into the local issuer factory + scheduler. The wiring is
    mechanical (NewCRLCacheService + scheduler.SetCRLCacheService call
    in the existing wiring block); deferring keeps this commit focused
    on the responder + cache primitives. Operator can wire when ready.
  * Phase 5 (GUI), Phase 6 (e2e test against kind), Phase 7 (release
    prep) — separate follow-up sessions.
  * OCSP cache integration: today's GET/POST OCSP path goes through
    the on-demand SignOCSPResponse (already cheap with the dedicated
    responder cert from Phase 2). A cached-OCSP path is V3-Pro polish.

The bundle's V2 backend slice (Phases 0-4) is complete. All 4 phases
shipped 4 commits + 1 amend on this branch. CI will validate the
testcontainers repository tests on push.

internal/service/certificate.go

@@ -12,14 +12,19 @@ import (
 
 // CertificateService provides business logic for certificate management.
 type CertificateService struct {
-	certRepo       repository.CertificateRepository
-	targetRepo     repository.TargetRepository
-	jobRepo        repository.JobRepository
-	policyService  *PolicyService
-	auditService   *AuditService
-	revSvc         *RevocationSvc
-	caSvc          *CAOperationsSvc
-	keygenMode     string
+	certRepo      repository.CertificateRepository
+	targetRepo    repository.TargetRepository
+	jobRepo       repository.JobRepository
+	policyService *PolicyService
+	auditService  *AuditService
+	revSvc        *RevocationSvc
+	caSvc         *CAOperationsSvc
+	// crlCacheSvc, when set, makes GenerateDERCRL serve from the
+	// pre-generated cache instead of regenerating per request. Bundle
+	// CRL/OCSP-Responder Phase 4. Optional; when nil GenerateDERCRL
+	// falls back to the historical on-demand path via caSvc.
+	crlCacheSvc *CRLCacheService
+	keygenMode  string
 }
 
 // NewCertificateService creates a new certificate service.
@@ -45,6 +50,17 @@ func (s *CertificateService) SetCAOperationsSvc(svc *CAOperationsSvc) {
 	s.caSvc = svc
 }
 
+// SetCRLCacheSvc wires the CRL cache service. When set, GenerateDERCRL
+// reads from the scheduler-pre-generated cache (cheap DB lookup) and
+// only triggers an on-demand regeneration on cache miss / staleness.
+// When unset, GenerateDERCRL falls back to the historical per-request
+// regeneration via caSvc.
+//
+// Bundle CRL/OCSP-Responder Phase 4.
+func (s *CertificateService) SetCRLCacheSvc(svc *CRLCacheService) {
+	s.crlCacheSvc = svc
+}
+
 // SetTargetRepo sets the target repository for deployment queries.
 func (s *CertificateService) SetTargetRepo(repo repository.TargetRepository) {
 	s.targetRepo = repo
@@ -481,9 +497,23 @@ func (s *CertificateService) GetRevokedCertificates(ctx context.Context) ([]*dom
 	return s.revSvc.GetRevokedCertificates(ctx)
 }
 
-// GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
-// Delegates to CAOperationsSvc.
+// GenerateDERCRL returns the DER-encoded X.509 CRL for the given
+// issuer. When the CRL cache service is wired (SetCRLCacheSvc), reads
+// from the scheduler-pre-generated cache and only regenerates on miss
+// / staleness — the cache layer's singleflight gate collapses
+// concurrent miss requests to a single underlying generation.
+//
+// When the cache service is not wired, falls back to the historical
+// on-demand path via CAOperationsSvc.GenerateDERCRL — every HTTP fetch
+// triggers a fresh generation.
+//
+// Backward-compatible: existing callers that don't wire the cache see
+// no behavioural change.
 func (s *CertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
+	if s.crlCacheSvc != nil {
+		der, _, err := s.crlCacheSvc.Get(ctx, issuerID)
+		return der, err
+	}
 	if s.caSvc == nil {
 		return nil, fmt.Errorf("CA operations service not configured")
 	}