Skip to content

Remove maxNames from top-level RA and CA configs #8391

New issue
New issue
Open
Open
Remove maxNames from top-level RA and CA configs#8391
Labels
starterIdeal issues for folks getting familiar with Boulder
@aarongable

Description

@aarongable
aarongable
opened on Sep 9, 2025

This is a cleanup / followup to #7993

The max names per cert is now enforced at the per-profile level in the RA. The config change has been deployed (IN-11055) so we can remove the config item left behind:

boulder/cmd/boulder-ra/main.go

Lines 243 to 251 in 3250145

// TODO(#7993): Remove this fallback and make ValidationProfile.MaxNames a
// required config field. We don't do any validation on the value of this
// top-level MaxNames because that happens inside the call to
// NewValidationProfiles below.
for _, pc := range c.RA.ValidationProfiles {
if pc.MaxNames == 0 {
pc.MaxNames = c.RA.MaxNames
}
}

If we like, we can also remove the configurable enforcement in the CA:

boulder/cmd/boulder-ca/main.go

Lines 71 to 76 in 3250145

// MaxNames is the maximum number of subjectAltNames in a single cert.
// The value supplied MUST be greater than 0 and no more than 100. These
// limits are per section 7.1 of our combined CP/CPS, under "DV-SSL
// Subscriber Certificate". The value must match the RA and WFE
// configurations.
MaxNames int `validate:"required,min=1,max=100"`

This could be replaced with a custom lint, as suggested by #5492

Metadata

Metadata

Assignees

No one assigned

    Labels

    starterIdeal issues for folks getting familiar with Boulder

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions