letsencrypt · jsha · Feb 12, 2025 · Feb 14, 2025 · Feb 14, 2025 · Feb 14, 2025
@@ -39,6 +39,7 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	"github.com/letsencrypt/boulder/linter"
 	blog "github.com/letsencrypt/boulder/log"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 )
 
@@ -99,6 +100,7 @@ type caMetrics struct {
 	signatureCount *prometheus.CounterVec
 	signErrorCount *prometheus.CounterVec
 	lintErrorCount prometheus.Counter
+	certificates   *prometheus.CounterVec
 }
 
 func NewCAMetrics(stats prometheus.Registerer) *caMetrics {
@@ -123,7 +125,15 @@ func NewCAMetrics(stats prometheus.Registerer) *caMetrics {
 		})
 	stats.MustRegister(lintErrorCount)
 
-	return &caMetrics{signatureCount, signErrorCount, lintErrorCount}
+	certificates := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "certificates",
+			Help: "Number of certificates issued",
+		},
+		[]string{"profile"})
+	stats.MustRegister(certificates)
+
+	return &caMetrics{signatureCount, signErrorCount, lintErrorCount, certificates}
 }
 
 func (m *caMetrics) noteSignError(err error) {
@@ -138,6 +148,7 @@ func (m *caMetrics) noteSignError(err error) {
 type certificateAuthorityImpl struct {
 	capb.UnsafeCertificateAuthorityServer
 	sa           sapb.StorageAuthorityCertificateClient
+	sctClient    rapb.SCTProviderClient
 	pa           core.PolicyAuthority
 	issuers      issuerMaps
 	certProfiles certProfilesMaps
@@ -227,6 +238,7 @@ func makeCertificateProfilesMap(profiles map[string]*issuance.ProfileConfigNew)
 // OCSP (via delegation to an ocspImpl and its issuers).
 func NewCertificateAuthorityImpl(
 	sa sapb.StorageAuthorityCertificateClient,
+	sctService rapb.SCTProviderClient,
 	pa core.PolicyAuthority,
 	boulderIssuers []*issuance.Issuer,
 	certificateProfiles map[string]*issuance.ProfileConfigNew,
@@ -261,6 +273,7 @@ func NewCertificateAuthorityImpl(
 
 	ca = &certificateAuthorityImpl{
 		sa:           sa,
+		sctClient:    sctService,
 		pa:           pa,
 		issuers:      issuers,
 		certProfiles: certProfiles,
@@ -343,6 +356,31 @@ func (ca *certificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 	}, nil
 }
 
+func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, issueReq *capb.IssueCertificateRequest) (*capb.IssueCertificateResponse, error) {
+	if ca.sctClient == nil {
+		return nil, errors.New("IssueCertificate called with a nil SCT service")
+	}
+	precert, err := ca.IssuePrecertificate(ctx, issueReq)
+	if err != nil {
+		return nil, err
+	}
+	scts, err := ca.sctClient.GetSCTs(ctx, &rapb.SCTRequest{PrecertDER: precert.DER})
+	if err != nil {
+		return nil, err
+	}
+	cert, err := ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+		DER:             precert.DER,
+		SCTs:            scts.SctDER,
+		RegistrationID:  issueReq.RegistrationID,
+		OrderID:         issueReq.OrderID,
+		CertProfileHash: precert.CertProfileHash,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &capb.IssueCertificateResponse{DER: cert.Der}, nil
+}
+
 // IssueCertificateForPrecertificate final step in the [issuance cycle].
 //
 // Given a precertificate and a set of SCTs for that precertificate, it generates
@@ -453,6 +491,7 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
 	}
 
 	ca.metrics.signatureCount.With(prometheus.Labels{"purpose": string(certType), "issuer": issuer.Name()}).Inc()
+	ca.metrics.certificates.With(prometheus.Labels{"profile": certProfile.name}).Inc()
 	logEvent.Result.Certificate = hex.EncodeToString(certDER)
 	ca.log.AuditObject("Signing cert success", logEvent)
 

@@ -37,6 +37,7 @@ import (
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/must"
 	"github.com/letsencrypt/boulder/policy"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 	"github.com/letsencrypt/boulder/test"
 )
@@ -204,7 +205,12 @@ func setup(t *testing.T) *testCtx {
 			Name: "lint_errors",
 			Help: "Number of issuances that were halted by linting errors",
 		})
-	cametrics := &caMetrics{signatureCount, signErrorCount, lintErrorCount}
+	certificatesCount := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "certificates",
+			Help: "Number of certificates issued",
+		}, []string{"profile"})
+	cametrics := &caMetrics{signatureCount, signErrorCount, lintErrorCount, certificatesCount}
 
 	ocsp, err := NewOCSPImpl(
 		boulderIssuers,
@@ -254,6 +260,7 @@ func TestSerialPrefix(t *testing.T) {
 		nil,
 		nil,
 		nil,
+		nil,
 		0x00,
 		testCtx.maxNames,
 		testCtx.keyPolicy,
@@ -267,6 +274,7 @@ func TestSerialPrefix(t *testing.T) {
 		nil,
 		nil,
 		nil,
+		nil,
 		0x80,
 		testCtx.maxNames,
 		testCtx.keyPolicy,
@@ -354,11 +362,18 @@ func TestIssuePrecertificate(t *testing.T) {
 	}
 }
 
+type mockSCTService struct{}
+
+func (m mockSCTService) GetSCTs(ctx context.Context, sctRequest *rapb.SCTRequest, _ ...grpc.CallOption) (*rapb.SCTResponse, error) {
+	return &rapb.SCTResponse{}, nil
+}
+
 func issueCertificateSubTestSetup(t *testing.T) (*certificateAuthorityImpl, *mockSA) {
 	testCtx := setup(t)
 	sa := &mockSA{}
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,
@@ -397,6 +412,7 @@ func TestNoIssuers(t *testing.T) {
 	sa := &mockSA{}
 	_, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		nil, // No issuers
 		testCtx.certProfiles,
@@ -417,6 +433,7 @@ func TestMultipleIssuers(t *testing.T) {
 	sa := &mockSA{}
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,
@@ -486,6 +503,7 @@ func TestUnpredictableIssuance(t *testing.T) {
 
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		boulderIssuers,
 		testCtx.certProfiles,
@@ -678,6 +696,7 @@ func TestInvalidCSRs(t *testing.T) {
 		sa := &mockSA{}
 		ca, err := NewCertificateAuthorityImpl(
 			sa,
+			mockSCTService{},
 			testCtx.pa,
 			testCtx.boulderIssuers,
 			testCtx.certProfiles,
@@ -716,6 +735,7 @@ func TestRejectValidityTooLong(t *testing.T) {
 
 	ca, err := NewCertificateAuthorityImpl(
 		&mockSA{},
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,
@@ -808,6 +828,7 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
 	sa := &mockSA{}
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,
@@ -869,6 +890,7 @@ func TestIssueCertificateForPrecertificateWithSpecificCertificateProfile(t *test
 	sa := &mockSA{}
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,
@@ -984,6 +1006,7 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
 	sa := &dupeSA{}
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,
@@ -1026,6 +1049,7 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
 	errorsa := &getCertErrorSA{}
 	errorca, err := NewCertificateAuthorityImpl(
 		errorsa,
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,

@@ -31,6 +31,7 @@ func TestOCSP(t *testing.T) {
 	testCtx := setup(t)
 	ca, err := NewCertificateAuthorityImpl(
 		&mockSA{},
+		mockSCTService{},
 		testCtx.pa,
 		testCtx.boulderIssuers,
 		testCtx.certProfiles,