Activates the CRL/OCSP responder pipeline that landed dormant in
phases 1-4 (commits dc44826, 6d1da84, ff20fba, c76bfcf):
* IssuerRegistry gains SetLocalIssuerDeps + LocalIssuerDeps struct.
Rebuild type-asserts each constructed connector to *local.Connector
and injects ocspResponderRepo + signerDriver + IssuerID + key dir
+ (optional) rotation-grace + validity overrides. Non-local
connectors are unaffected (the type-assert fails silently). Adapter
pattern preserved: callers still see service.IssuerConnector.
* cmd/server/main.go:
- constructs CRLCacheRepository + OCSPResponderRepository from db
- constructs signer.FileDriver (default; PKCS#11 driver plugs in
later via the same Driver interface, no main.go changes needed)
- calls issuerRegistry.SetLocalIssuerDeps(...) BEFORE BuildRegistry
so the deps are in place when local connectors are constructed
- wires CRLCacheService into CertificateService via SetCRLCacheSvc
(Phase 4 cache-aware GenerateDERCRL path now active)
- calls scheduler.SetCRLCacheService + SetCRLGenerationInterval
after sched is constructed; logs the interval at startup
* config: new OCSPResponderConfig struct + Scheduler.CRLGenerationInterval
field. Three new env vars:
CERTCTL_OCSP_RESPONDER_KEY_DIR (no default; operator MUST set in prod)
CERTCTL_OCSP_RESPONDER_ROTATION_GRACE (default 7d)
CERTCTL_OCSP_RESPONDER_VALIDITY (default 30d)
CERTCTL_CRL_GENERATION_INTERVAL (default 1h)
Backward compat: when env vars are unset, the responder bootstrap path
still activates (with default rotation grace + validity, key dir = cwd
which is fine for tests), and the CRL cache pre-populates on the
1h interval. Operators not running the local issuer see no behavior
change.
go vet clean across the full module. Targeted tests for config +
service + scheduler packages all green. Full module build deferred
to CI (sandbox /sessions disk pressure prevented unzipping a
transitive dep — same disk-full pattern the prior commits hit; not
a code issue).
Replace static env-var-based issuer wiring with GUI-driven dynamic
configuration stored encrypted in PostgreSQL. Operators can now
configure, test, enable/disable, and manage issuers from the dashboard
without restarting the server.
Key changes:
- AES-256-GCM encryption for sensitive issuer config at rest (PBKDF2
key derivation with 100k iterations)
- Dynamic IssuerRegistry with sync.RWMutex replacing static map
- Connector factory pattern (issuerfactory.NewFromConfig) replacing
140 lines of static wiring in main.go
- Migration 000009: encrypted_config, last_tested_at, test_status,
source columns on issuers table
- Env var seeding on first boot with ON CONFLICT DO NOTHING
- Registry Rebuild() for atomic map swap after CRUD operations
- Issuer type validation against domain constants on Create
- Audit trail for test connection results
- Conditional seeding for step-ca/OpenSSL (only when env vars set)
- GUI: source badge, connection test status on issuer detail page
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Shankar