===========
 PROVIDERS
===========

letsencrypt
    certificates issued from let's encrypt

selfsigned
    self-signed certificates


=============
 IDENTIFIERS
=============

fqdn
    the primary fully qualified name (e.g. "example.com") or subject alternative
    name.

fqdnsansidentifier
    fqdnsansidentifier is deterministically calculated from the particular
    FQDN+SANs and the provider.

itemidentifier
    the itemidentifier begins with the datetime when the item was committed,
    and is followed by an arbitrary suffix in order to make clashes near
    impossible.

==================
 DIRECTORY LAYOUT
==================

/var/lib/<package>/letsencrypt-account/<uniq_identifier>/
    directory containing an account keypair
    file ``account_key.pem`` the private part
    file ``account_pub.pem`` the public part

/var/lib/<package>/letsencrypt-account/current
    symlink pointing to the currently active account

/var/lib/<package>/spool/<fqdnsansidentifier>/
    the directory contains:

    file ``domain.list`` one line with the FQDN and SANs 
    file ``key.pem``
    file ``csr.pem``
    file ``crt.pem``
    file ``chain.pem`` the intermediate certificates, excluding the CA
    file ``ca.pem`` the top-most ca-certificate which signed crt.pem
    file ``crt+chain.pem`` crt and chain concatenated
    file ``crt+chain+key.pem`` crt, chain and key concatenated
    file ``isfailed.bool`` contains "true" or "false". Default: "false"
    file ``isselfsign.bool`` contains "true" or "false". Default: "false"
    file ``isletsencrypt.bool`` contains "true" or "false". Default: "false"

/var/lib/<package>/database/items/<itemidentifier>/
    the primary hold for all committed items. once comitted, the item's
    content must not change. see spool-item description to get a description
    of the item contents.

/var/lib/<package>/database/latest-by-fqdn/<fqdn>
    symlink to the most recently issued certificate for the particular fqdn/san.
    the symlink must be relative.

/var/lib/<package>/database/latest-letsencrypt-by-fqdn/<fqdn>
    symlink to the most recently issued let's encrypt certificate for the
    particular fqdn/san.
    the symlink must be relative.

/var/lib/<package>/database/latest-selfsigned-by-fqdn/<fqdn>
    symlink to the most recently issued self-signed certificate for the
    particular fqdn/san.
    the symlink must be relative.
