I’ve got a few questions on how to get started with issuing the ECDSA certificates.
Currently we are able to issue an RSA certificate once an order is created and domain validated. Is it possible to get a ECDSA certificate in the same order? I understand that we can send /finalize only once per order but if there is some way, that would be nice since we can avoid going through the validation process again.
Alternatively, we’ve also tried creating two orders in parallel to get both the certificates at similar times in our flow but it looks like only one order can be open at a time for the same sans. A second /newOrder call returns me the order ID from the previous call. Any workarounds for this?
A domain when it is validated, it is valid for a month. It is just implemented that way in the Let's Encrypt's ACME server. So a second order (using the same account) soon after the first certificate issued, will not require revalidation of the domains.
Unfortunately, ACME doesn't let you request two certificates in one order.
I think your best bet here is to do the two orders in sequence: Create one, fully validate it, finalize; then create the next one. On the second new-order call, Boulder will see that you have valid authorizations for all the SANs, and will automatically attach those authorizations to the second new-order so you don't have to re-do validations and can go straight to finalize.
The second order request should probably still have a certain amount of resiliency, since there are edge cases where the valid authorizations might expire or be deactivated between Order 1 and Order 2.