Is a persistent database required or can it be run stateless (for root CA only) #2632
Description
The issuing CA of course needs to be online and accessible all the time to generate, renew, and revoke certificates.
But since the root CA is powered off most of the time and airgapped, if key material is stored in a separate HSM, could the system be run from a ramdisk every time? Or is there a lot of state that would need to be stored?
The docs say:
The database stores things like:
Issued certificates and certificate metadata, to facilitate passive revocation
ACME accounts
Used one-time-use tokens
but I'm not sure if that's an exhaustive list, or if any of those are relevant to my scenario. Does seem like it would be fairly easy to export the entire DB, though.