I can’t find anything in the RFCs stating a newline must/should be a certain sequence.
Part of me thinks I am looking in the wrong RFCs, however in my usage, it has not mattered when connecting to boulder or pebble, or installing into a server.
certbot seems to use “\n”
the letsencrypt certs use either:
As you're listing three certificates as examples, I'm assuming — although you didn't specify this anywhere — this thread is limited to the textual encoding of certificates.
The first RFC I googled for (search keys: x509 pem rfc), has the answer:
getLine results the first \r\n or \n delineated line from the given byte array. The line does not include trailing whitespace or the trailing new line bytes. The remainder of the byte array (also not including the new line bytes) is also returned and this will always be smaller than the original argument.
This would mean that Go, in contrast of RFC 7468, does not accept "\r only" newlines. Fortunately, not many systems use \r newlines, the first thing that comes close is "classic Mac OS" (pre-Mac OS X versions).
I don't think there is anywhere in the ACME API that requires us to handle PEM encoding from clients. Recall that RFC 8555 specifies the CSR parameter of an order finalize request to be the "base64url-encoded version of the DER".
The example URLs' that @jvanasco shared aren't part of the ACME API. It looks like we should probably normalize the newlines in those static files ref'd by the website anyway. I'll file a website issue.
I'm not a Boulder expert but I was thinking more of using PEM-encoded stuff for signing et cetera, when nog using a HSM. In that case Boulder would need to read a private key from somewhere, possibly a PEM-encoded private key? Or would Boulder use a separate "software HSM" for the signing? Like I said, not a Boulder expert
Hm, but according to RFC 7468 that's actually not really necessary?