public ActionResult <Order> FinalizeOrder(string acctId, string orderId, [FromBody] JwsSignedPayload signedPayload) { if (!int.TryParse(acctId, out var acctIdNum)) { return(NotFound()); } if (!int.TryParse(orderId, out var orderIdNum)) { return(NotFound()); } var ph = ExtractProtectedHeader(signedPayload); ValidateNonce(ph); var acct = _repo.GetAccountByKid(ph.Kid); if (acct == null) { throw new Exception("could not resolve account"); } ValidateAccount(acct, signedPayload); var dbOrder = _repo.GetOrder(orderIdNum); if (dbOrder == null || dbOrder.AccountId != acctIdNum) { return(NotFound()); } if (acct.Id != dbOrder.AccountId) { throw new Exception("inconsistent state -- " + "Challenge Order does not belong to resolved Account"); } if (dbOrder.Details.Payload.Status != "pending") { throw new Exception("Order no longer pending"); } var requ = ExtractPayload <FinalizeOrderRequest>(signedPayload); var encodedCsr = CryptoHelper.Base64.UrlDecode(requ.Csr); var crt = _ca.Sign(PkiEncodingFormat.Der, encodedCsr, PkiHashAlgorithm.Sha256); byte[] crtBytes; using (var ms = new MemoryStream()) { crt.Save(ms); ms.Flush(); ms.Position = 0; crtBytes = ms.ToArray(); } var certKey = Guid.NewGuid().ToString(); var certPem = Encoding.UTF8.GetString(crt.Export(PkiEncodingFormat.Pem)) + ResolveCaCertPem(); var dbCert = new DbCertificate { OrderId = dbOrder.Id, CertKey = certKey, Native = crtBytes, Pem = certPem, }; _repo.SaveCertificate(dbCert); dbOrder.Details.Payload.Status = "valid"; dbOrder.Details.Payload.Certificate = Url.Action(nameof(GetCertificate), controller: null, values: new { certKey }, protocol: Request.Scheme); _repo.SaveOrder(dbOrder); GenerateNonce(); return(dbOrder.Details.Payload); }