Right now Expiry Bot includes specific expiration date and hostname(s) i the expiration mail. This is fine, but not always enough to identify the specific certificate in question, like when there’s been an old cert with the same name, or a staging one; or it would be simply prudent to provide a cryptographically or adminitratively unique identifying information about the subject of the email.
Cert serial number would seem to be an obvious choice (it’s in the default output of both openssl and certtool, apart from possibly any other).
Could also provide a hash, and perhaps a https://crt.sh/ link.
It should always be possible to identify the certificate by the information given now, though. (At least for a production certificate, since they’re logged to CT.) The email says whether it’s a staging or production certificate. You can identify the most recent certificate with those names expiring at the given time. It’s just not always convenient.
There was an open feature request for including the certificate fingerprint: https://github.com/letsencrypt/boulder/issues/2777 I’ve updated it to mention the certificate serial - likely a better choice for identifying the certificates in question than the fingerprint.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.