5 files changed, 81 insertions, 10 deletions

diff --git a/config-model-api/abi-spec.json b/config-model-api/abi-spec.json
index 8ebe0069a29..d0173de4f9e 100644
--- a/config-model-api/abi-spec.json
+++ b/config-model-api/abi-spec.json
@@ -1135,6 +1135,24 @@
     ],
     "fields" : [ ]
   },
+  "com.yahoo.config.model.api.EndpointCertificateMetadata$Provider" : {
+    "superClass" : "java.lang.Enum",
+    "interfaces" : [ ],
+    "attributes" : [
+      "public",
+      "final",
+      "enum"
+    ],
+    "methods" : [
+      "public static com.yahoo.config.model.api.EndpointCertificateMetadata$Provider[] values()",
+      "public static com.yahoo.config.model.api.EndpointCertificateMetadata$Provider valueOf(java.lang.String)"
+    ],
+    "fields" : [
+      "public static final enum com.yahoo.config.model.api.EndpointCertificateMetadata$Provider digicert",
+      "public static final enum com.yahoo.config.model.api.EndpointCertificateMetadata$Provider globalsign",
+      "public static final enum com.yahoo.config.model.api.EndpointCertificateMetadata$Provider zerossl"
+    ]
+  },
   "com.yahoo.config.model.api.EndpointCertificateMetadata" : {
     "superClass" : "java.lang.Object",
     "interfaces" : [ ],
@@ -1142,16 +1160,33 @@
       "public"
     ],
     "methods" : [
-      "public void <init>(java.lang.String, java.lang.String, int)",
+      "public void <init>(java.lang.String, java.lang.String, int, com.yahoo.config.model.api.EndpointCertificateMetadata$Provider)",
       "public java.lang.String keyName()",
       "public java.lang.String certName()",
       "public int version()",
+      "public com.yahoo.config.model.api.EndpointCertificateMetadata$Provider issuer()",
       "public java.lang.String toString()",
       "public boolean equals(java.lang.Object)",
       "public int hashCode()"
     ],
     "fields" : [ ]
   },
+  "com.yahoo.config.model.api.EndpointCertificateSecretStore" : {
+    "superClass" : "java.lang.Object",
+    "interfaces" : [ ],
+    "attributes" : [
+      "public",
+      "abstract"
+    ],
+    "methods" : [
+      "public void <init>()",
+      "public final com.yahoo.config.model.api.EndpointCertificateSecrets getSecret(com.yahoo.config.model.api.EndpointCertificateMetadata)",
+      "public abstract java.util.Optional getPrivateKey(com.yahoo.config.model.api.EndpointCertificateMetadata)",
+      "public abstract java.util.Optional getCertificate(com.yahoo.config.model.api.EndpointCertificateMetadata)",
+      "public abstract boolean supports(com.yahoo.config.model.api.EndpointCertificateMetadata$Provider)"
+    ],
+    "fields" : [ ]
+  },
   "com.yahoo.config.model.api.EndpointCertificateSecrets" : {
     "superClass" : "java.lang.Object",
     "interfaces" : [ ],
diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateMetadata.java b/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateMetadata.java
index a4b0159ed4a..591677f6677 100644
--- a/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateMetadata.java
+++ b/config-model-api/src/main/java/com/yahoo/config/model/api/EndpointCertificateMetadata.java
@@ -5,14 +5,17 @@ import java.util.Objects;
 
 public class EndpointCertificateMetadata {
 
+    public enum Provider { digicert, globalsign, zerossl }
     private final String keyName;
     private final String certName;
     private final int version;
+    private final Provider issuer;
 
-    public EndpointCertificateMetadata(String keyName, String certName, int version) {
+    public EndpointCertificateMetadata(String keyName, String certName, int version, Provider issuer) {
         this.keyName = keyName;
         this.certName = certName;
         this.version = version;
+        this.issuer = issuer;
     }
 
     public String keyName() {
@@ -27,25 +30,31 @@ public class EndpointCertificateMetadata {
         return version;
     }
 
+    public Provider issuer() {
+        return issuer;
+    }
+
     @Override
     public String toString() {
         return "EndpointCertificateMetadata{" +
                 "keyName='" + keyName + '\'' +
                 ", certName='" + certName + '\'' +
                 ", version=" + version +
+                ", issuer='" + issuer + '\'' +
                 '}';
     }
 
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         EndpointCertificateMetadata that = (EndpointCertificateMetadata) o;
-        return version == that.version && Objects.equals(keyName, that.keyName) && Objects.equals(certName, that.certName);
+        return version == that.version && Objects.equals(keyName, that.keyName) && Objects.equals(certName, that.certName) && Objects.equals(issuer, that.issuer);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(keyName, certName, version);
+        return Objects.hash(keyName, certName, version, issuer);
     }
 }
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataSerializer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataSerializer.java
index 7b8987a22b2..d3c026dbc0d 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataSerializer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataSerializer.java
@@ -4,8 +4,13 @@ package com.yahoo.vespa.config.server.tenant;
 import com.yahoo.config.model.api.EndpointCertificateMetadata;
 import com.yahoo.slime.Cursor;
 import com.yahoo.slime.Inspector;
+import com.yahoo.slime.SlimeUtils;
 import com.yahoo.slime.Type;
 
+import static com.yahoo.config.model.api.EndpointCertificateMetadata.Provider.digicert;
+import static com.yahoo.config.model.api.EndpointCertificateMetadata.Provider.globalsign;
+import static com.yahoo.config.model.api.EndpointCertificateMetadata.Provider.zerossl;
+
 /**
  * (de)serializes endpoint certificate metadata
  *
@@ -23,11 +28,13 @@ public class EndpointCertificateMetadataSerializer {
     private final static String keyNameField = "keyName";
     private final static String certNameField = "certName";
     private final static String versionField = "version";
+    private final static String issuerField = "issuer";
 
     public static void toSlime(EndpointCertificateMetadata metadata, Cursor object) {
         object.setString(keyNameField, metadata.keyName());
         object.setString(certNameField, metadata.certName());
         object.setLong(versionField, metadata.version());
+        object.setString(issuerField, serializedValue(metadata.issuer()));
     }
 
     public static EndpointCertificateMetadata fromSlime(Inspector inspector) {
@@ -35,9 +42,26 @@ public class EndpointCertificateMetadataSerializer {
             return new EndpointCertificateMetadata(
                     inspector.field(keyNameField).asString(),
                     inspector.field(certNameField).asString(),
-                    Math.toIntExact(inspector.field(versionField).asLong())
-            );
+                    Math.toIntExact(inspector.field(versionField).asLong()),
+                    providerOf(SlimeUtils.optionalString(inspector.field(issuerField)).orElse("")));
         }
         throw new IllegalArgumentException("Unknown format encountered for endpoint certificate metadata!");
     }
+
+    private static EndpointCertificateMetadata.Provider providerOf(String name) {
+        return switch (name) {
+            case "digicert" -> digicert;
+            case "globalsign" -> globalsign;
+            case "zerossl" -> zerossl;
+            default -> digicert;
+        };
+    }
+
+    private static String serializedValue(EndpointCertificateMetadata.Provider provider) {
+        return switch (provider) {
+            case digicert -> "digicert";
+            case globalsign -> "globalsign";
+            case zerossl -> "zerossl";
+        };
+    }
 }
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java
index 9f2ddafd028..1e694be0480 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/session/PrepareParamsTest.java
@@ -28,6 +28,7 @@ import java.time.Duration;
 import java.util.List;
 import java.util.OptionalInt;
 
+import static com.yahoo.config.model.api.EndpointCertificateMetadata.Provider.digicert;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -119,7 +120,7 @@ public class PrepareParamsTest {
 
     @Test
     public void testEndpointCertificateParsing() throws IOException {
-        var certMeta = new EndpointCertificateMetadata("key", "cert", 3);
+        var certMeta = new EndpointCertificateMetadata("key", "cert", 3, digicert);
         var slime = new Slime();
         EndpointCertificateMetadataSerializer.toSlime(certMeta, slime.setObject());
         String encoded = URLEncoder.encode(new String(SlimeUtils.toJsonBytes(slime), StandardCharsets.UTF_8), StandardCharsets.UTF_8);
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataStoreTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataStoreTest.java
index 69b9d458962..99dccf6d418 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataStoreTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateMetadataStoreTest.java
@@ -23,7 +23,9 @@ import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
+import java.util.List;
 
+import static com.yahoo.config.model.api.EndpointCertificateMetadata.Provider.digicert;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -46,7 +48,7 @@ public class EndpointCertificateMetadataStoreTest {
     public void setUp() {
         curator = new MockCurator();
         endpointCertificateMetadataStore = new EndpointCertificateMetadataStore(curator, tenantPath);
-        endpointCertificateRetriever = new EndpointCertificateRetriever(secretStore);
+        endpointCertificateRetriever = new EndpointCertificateRetriever(List.of(new DefaultEndpointCertificateSecretStore(secretStore)));
 
         secretStore.put("vespa.tlskeys.tenant1--app1-cert", X509CertificateUtils.toPem(certificate));
         secretStore.put("vespa.tlskeys.tenant1--app1-key", KeyUtils.toPem(keyPair.getPrivate()));
@@ -68,11 +70,11 @@ public class EndpointCertificateMetadataStoreTest {
 
     @Test
     public void can_write_object_format() {
-        var endpointCertificateMetadata = new EndpointCertificateMetadata("key-name", "cert-name", 1);
+        var endpointCertificateMetadata = new EndpointCertificateMetadata("key-name", "cert-name", 1, digicert);
 
         endpointCertificateMetadataStore.writeEndpointCertificateMetadata(applicationId, endpointCertificateMetadata);
 
-        assertEquals("{\"keyName\":\"key-name\",\"certName\":\"cert-name\",\"version\":1}",
+        assertEquals("{\"keyName\":\"key-name\",\"certName\":\"cert-name\",\"version\":1,\"issuer\":\"digicert\"}",
                 new String(curator.getData(endpointCertificateMetadataPath).orElseThrow()));
     }
 }