regfish
diff --git a/‎README.de.md‎
Lines changed: 2 additions & 2 deletions b/‎README.de.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/de/issuing-certificates.md‎
Lines changed: 15 additions & 2 deletions b/‎docs/de/issuing-certificates.md‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎docs/de/workflow-overview.md‎
Lines changed: 9 additions & 2 deletions b/‎docs/de/workflow-overview.md‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎docs/en/issuing-certificates.md‎
Lines changed: 15 additions & 2 deletions b/‎docs/en/issuing-certificates.md‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎docs/en/workflow-overview.md‎
Lines changed: 9 additions & 2 deletions b/‎docs/en/workflow-overview.md‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎internal/api/client.go‎
Lines changed: 29 additions & 27 deletions b/‎internal/api/client.go‎
Lines changed: 29 additions & 27 deletions
diff --git a/‎internal/api/client_test.go‎
Lines changed: 44 additions & 3 deletions b/‎internal/api/client_test.go‎
Lines changed: 44 additions & 3 deletions
@@ -59,7 +59,7 @@ sudo certbro issue \
   --webserver nginx
 ```
 
-Für DV-Produkte wartet `certbro issue` in der Regel auf die Ausstellung und deployt das Zertifikat direkt. Für OV- oder Business-Produkte kann die TLS API stattdessen `action_required=true` mit einer `completion_url` unter `/my/certs/...` zurückgeben. In diesem Fall speichert `certbro` das Pending-Material lokal, gibt die Console-URL aus und endet erfolgreich. Ein späterer Lauf von `certbro renew` setzt denselben offenen Vorgang fort, nachdem der Console-Schritt abgeschlossen wurde.
+Für DV-Produkte wartet `certbro issue` in der Regel auf die Ausstellung und deployt das Zertifikat direkt. Für OV- oder organisationsvalidierte Business-Produkte kann die TLS API stattdessen `action_required=true` mit einer `completion_url` unter `/my/certs/...` zurückgeben. In diesem Fall speichert `certbro` das Pending-Material lokal, gibt die Console-URL aus und endet erfolgreich. Ein späterer Lauf von `certbro renew` setzt denselben offenen Vorgang fort, nachdem der Console-Schritt abgeschlossen wurde.
 
 Renewals manuell ausführen:
 
@@ -78,7 +78,7 @@ sudo certbro install
 - Multi-Domain-Zertifikate: `--dns-name` für jede SAN wiederholen
 - Paralleler RSA- und ECDSA-Betrieb: `certbro issue-pair`
 - Bereits bestehende regfish-Bestellungen: Import per `certificate_id`
-- OV- oder Business-Bestellungen: `certbro issue` kann eine Console-`completion_url` zurückgeben; wenn bereits eine nutzbare `--org-id` bekannt ist, direkt mitgeben, andernfalls die Bestellung dort abschließen und später mit `certbro renew` finalisieren
+- OV- oder Business-Bestellungen: `--org-id` erwartet die öffentliche TLS-Organisations-ID aus `/tls/organization` beziehungsweise `organization_id`, zum Beispiel `hdl_ABCDEFGHJKLMN`; `certbro issue` kann trotzdem noch eine Console-`completion_url` zurückgeben, wenn die Organisation nicht bestellbar ist oder weitere Completion-Daten fehlen
 - Sofortiger Ersatz: `certbro renew --name example-com --force`
 - Einmaliger Laufzeit-Override: `certbro renew --name example-com --force --validity-days 30`
 - Pending-Ausstellung nach Timeout: `certbro renew --name example-com` erneut ausführen, um denselben Request weiter zu beobachten
 
@@ -59,7 +59,7 @@ sudo certbro issue \
   --webserver nginx
 ```
 
-For DV products, `certbro issue` usually waits for issuance and deploys the certificate directly. For OV or business products, the TLS API can instead return `action_required=true` with a `completion_url` under `/my/certs/...`. In that case, `certbro` stores the pending material locally, prints the Console URL, and exits successfully. A later `certbro renew` run resumes the same pending order after the Console step has been completed.
+For DV products, `certbro issue` usually waits for issuance and deploys the certificate directly. For OV or organization-validated business products, the TLS API can instead return `action_required=true` with a `completion_url` under `/my/certs/...`. In that case, `certbro` stores the pending material locally, prints the Console URL, and exits successfully. A later `certbro renew` run resumes the same pending order after the Console step has been completed.
 
 Run renewals manually:
 
@@ -78,7 +78,7 @@ sudo certbro install
 - Multi-domain certificates: repeat `--dns-name` for each SAN
 - Dual RSA and ECDSA deployment: use `certbro issue-pair`
 - Existing regfish orders: import by `certificate_id`
-- OV or business orders: `certbro issue` can return a Console `completion_url`; if you already know a usable `--org-id`, pass it up front, otherwise complete the order there and let `certbro renew` finish it later
+- OV or business orders: `--org-id` expects the public TLS organization id from `/tls/organization` or `organization_id`, for example `hdl_ABCDEFGHJKLMN`; `certbro issue` can still return a Console `completion_url` if the organization is not yet usable or more completion data is required
 - Immediate replacement: `certbro renew --name example-com --force`
 - One-off renewal lifetime override: `certbro renew --name example-com --force --validity-days 30`
 - Pending issuance after a timeout: rerun `certbro renew --name example-com` to resume monitoring the existing request
 
@@ -29,16 +29,18 @@ sudo certbro issue \
   --product SecureSite
 ```
 
-Wenn bereits eine nutzbare Organisations-ID aus der regfish Console bekannt ist, kann sie direkt mitgegeben werden:
+Wenn bereits eine nutzbare öffentliche TLS-Organisations-ID bekannt ist, kann sie direkt mitgegeben werden:
 
 ```sh
 sudo certbro issue \
   --name example-com \
   --common-name example.com \
   --product SecureSite \
-  --org-id 42
+  --org-id hdl_ABCDEFGHJKLMN
 ```
 
+`--org-id` erwartet dieselbe öffentliche `org_id`, die die TLS API in `/tls/organization`, `organization_id` und `POST /tls/certificate/{certificate_id}/complete` verwendet. Es geht nicht um eine interne numerische Datenbank-ID.
+
 Damit wird die Bestellung direkt mit der vorhandenen Organisation verknüpft. Ist diese Organisation bereits bestellbar, kann die TLS API ohne gestufte Completion-URL direkt weiterlaufen.
 
 Wenn die TLS API mit `action_required=true` antwortet, gibt `certbro` unter anderem diese Felder aus:
@@ -47,6 +49,7 @@ Wenn die TLS API mit `action_required=true` antwortet, gibt `certbro` unter ande
 - `pending_reason`
 - `pending_message`
 - `completion_url`
+- `organization_id`
 
 Die `completion_url` in der regfish Console öffnen, die OV-/Business-Bestellung dort abschließen und danach erneut ausführen:
 
@@ -56,6 +59,16 @@ sudo certbro renew --name example-com
 
 `certbro renew` setzt denselben offenen Vorgang fort und provisioniert DCV, sobald die Validierungsrecords verfügbar sind. Wenn das Zertifikat danach schon bereitsteht, lädt `certbro` es im selben Lauf herunter und deployt es. Wenn die providerseitige OV-/Business-Validierung noch läuft, beendet sich `certbro renew` sauber und setzt den Vorgang bei einem späteren Renewal-Lauf oder Timer-Zyklus fort.
 
+Für direkte API-Clients beschreibt die aktuelle OpenAPI-Spezifikation zusätzlich den programmatischen Abschluss über `POST /tls/certificate/{certificate_id}/complete` mit einem Body wie:
+
+```json
+{
+  "org_id": "hdl_ABCDEFGHJKLMN"
+}
+```
+
+`certbro` selbst nutzt dafür weiterhin die Console-`completion_url` und übernimmt danach im `renew`-Pfad wieder DCV, Polling, Download und Deployment.
+
 ## Laufzeit-Zeitplan
 
 `certbro` folgt dem CA/B-Forum-Zeitplan für öffentlich vertrauenswürdige TLS-Zertifikate und beginnt aus Sicherheitsgründen jeweils einen Tag früher mit dem niedrigeren Default.
 
@@ -63,17 +63,24 @@ sudo certbro issue \
   --name example-com \
   --common-name example.com \
   --product SecureSite \
-  --org-id 42
+  --org-id hdl_ABCDEFGHJKLMN
 ```
 
 Dadurch ändert sich der Ablauf:
 
 1. `certbro` erzeugt Private Key und CSR weiterhin lokal.
-2. Die Bestellung wird direkt mit der vorhandenen Organisations-ID verknüpft.
+2. Die Bestellung wird direkt mit der vorhandenen öffentlichen TLS-Organisations-ID (`org_id`, zum Beispiel `hdl_ABCDEFGHJKLMN`) verknüpft.
 3. Ist diese Organisation bereits bestellbar, kann die TLS API ohne den gestuften `completion_url`-Zwischenschritt direkt weiterlaufen.
 4. Dann nähert sich der Ablauf wieder dem DV-Fall an: Validierungsrecords können schon in der ersten `issue`-Antwort auftauchen, und `certbro issue` kann die DNS-Records direkt im selben Lauf anlegen.
 5. Ist die Organisation unvollständig oder nicht bestellbar, kann die TLS API trotzdem wieder in den gestuften OV-/Business-Flow zurückfallen.
 
+Wichtig für API und CLI:
+
+- `POST /tls/certificate` nimmt optional `org_id`.
+- `POST /tls/certificate/{certificate_id}/complete` verlangt `org_id` zwingend.
+- Die Response-Felder `organization_id` und `organization.id` verwenden dieselbe öffentliche string-basierte TLS-Organisations-ID.
+- Ältere numerische Beispiele sind dafür nicht mehr maßgeblich.
+
 ## Was `renew` bei Pending-Bestellungen macht
 
 `certbro renew` ist der einzige Resume- und Finalize-Mechanismus für offene Bestellungen.
 
@@ -29,16 +29,18 @@ sudo certbro issue \
   --product SecureSite
 ```
 
-If you already know a usable organization id from the regfish Console, pass it up front:
+If you already know a usable public TLS organization id, pass it up front:
 
 ```sh
 sudo certbro issue \
   --name example-com \
   --common-name example.com \
   --product SecureSite \
-  --org-id 42
+  --org-id hdl_ABCDEFGHJKLMN
 ```
 
+`--org-id` expects the same public `org_id` used by the TLS API in `/tls/organization`, `organization_id`, and `POST /tls/certificate/{certificate_id}/complete`. It is not an internal numeric database id.
+
 That pre-links the order to the existing organization. If the organization is already usable for ordering, the TLS API can continue directly without returning a staged completion URL.
 
 If the TLS API responds with `action_required=true`, `certbro` prints fields such as:
@@ -47,6 +49,7 @@ If the TLS API responds with `action_required=true`, `certbro` prints fields suc
 - `pending_reason`
 - `pending_message`
 - `completion_url`
+- `organization_id`
 
 Follow the `completion_url` in the regfish Console, complete the OV/business order there, and then rerun:
 
@@ -56,6 +59,16 @@ sudo certbro renew --name example-com
 
 `certbro renew` resumes the same pending order and provisions DCV as soon as validation records become available. If the certificate is already ready afterwards, `certbro` downloads and deploys it in the same run. If provider-side OV/business validation is still pending, `certbro renew` exits cleanly and continues on a later renewal run or timer cycle.
 
+For direct API clients, the current OpenAPI specification also documents programmatic completion via `POST /tls/certificate/{certificate_id}/complete` with a payload such as:
+
+```json
+{
+  "org_id": "hdl_ABCDEFGHJKLMN"
+}
+```
+
+`certbro` itself still relies on the Console `completion_url` for that human completion step and then resumes DCV, polling, download, and deployment during `renew`.
+
 ## Validity Schedule
 
 `certbro` follows the CA/B Forum schedule for publicly trusted TLS certificate lifetimes and starts using the upcoming lower default one day earlier as a safety margin.
 
@@ -63,17 +63,24 @@ sudo certbro issue \
   --name example-com \
   --common-name example.com \
   --product SecureSite \
-  --org-id 42
+  --org-id hdl_ABCDEFGHJKLMN
 ```
 
 This changes the flow:
 
 1. `certbro` still creates the private key and CSR locally.
-2. The order is pre-linked to the existing organization id.
+2. The order is pre-linked to the existing public TLS organization id (`org_id`, for example `hdl_ABCDEFGHJKLMN`).
 3. If that organization is already usable for ordering, the TLS API can continue directly without the staged `completion_url` detour.
 4. In that case, the flow moves closer to DV behavior: validation records can appear immediately in the initial `issue` response, and `certbro issue` can provision DNS in the same run.
 5. If the organization is incomplete or unusable, the TLS API can still fall back to the staged OV/business flow above.
 
+Important for both API and CLI consumers:
+
+- `POST /tls/certificate` accepts optional `org_id`.
+- `POST /tls/certificate/{certificate_id}/complete` requires `org_id`.
+- The response fields `organization_id` and `organization.id` use the same public string-based TLS organization id.
+- Older numeric examples are no longer authoritative for this flow.
+
 ## What `renew` Does for Pending Orders
 
 `certbro renew` is the only resume and finalize mechanism for pending orders.
 
@@ -14,6 +14,8 @@ import (
 	"net/http"
 	"strings"
 	"time"
+
+	"github.com/regfish/certbro/internal/tlsmeta"
 )
 
 // DefaultBaseURL is the default regfish API endpoint used by certbro.
@@ -113,30 +115,30 @@ type TLSCertificateReissue struct {
 
 // TLSOrganizationSummary contains the minimal organization metadata returned with a certificate.
 type TLSOrganizationSummary struct {
-	ID                int    `json:"id"`
-	Name              string `json:"name"`
-	Status            string `json:"status"`
-	UsableForOrdering bool   `json:"usable_for_ordering"`
+	ID                tlsmeta.OrganizationID `json:"id"`
+	Name              string                 `json:"name"`
+	Status            string                 `json:"status"`
+	UsableForOrdering bool                   `json:"usable_for_ordering"`
 }
 
 // TLSCertificate models the public TLS certificate resource returned by the API.
 type TLSCertificate struct {
-	ID                     string   `json:"id"`
-	Status                 string   `json:"status"`
-	CommonName             string   `json:"common_name"`
-	Product                string   `json:"product"`
-	Provider               string   `json:"provider"`
-	DNSNames               []string `json:"dns_names"`
-	OrderState             string   `json:"order_state,omitempty"`
-	ActionRequired         bool     `json:"action_required"`
-	PendingReason          string   `json:"pending_reason,omitempty"`
-	PendingMessage         string   `json:"pending_message,omitempty"`
-	CompletionURL          string   `json:"completion_url,omitempty"`
-	OrganizationID         int      `json:"organization_id,omitempty"`
-	RevocationScope        string   `json:"revocation_scope,omitempty"`
-	RevocationPendingScope string   `json:"revocation_pending_scope,omitempty"`
-	RenewalSupported       bool     `json:"renewal_supported,omitempty"`
-	ReissueSupported       bool     `json:"reissue_supported"`
+	ID                     string                 `json:"id"`
+	Status                 string                 `json:"status"`
+	CommonName             string                 `json:"common_name"`
+	Product                string                 `json:"product"`
+	Provider               string                 `json:"provider"`
+	DNSNames               []string               `json:"dns_names"`
+	OrderState             string                 `json:"order_state,omitempty"`
+	ActionRequired         bool                   `json:"action_required"`
+	PendingReason          string                 `json:"pending_reason,omitempty"`
+	PendingMessage         string                 `json:"pending_message,omitempty"`
+	CompletionURL          string                 `json:"completion_url,omitempty"`
+	OrganizationID         tlsmeta.OrganizationID `json:"organization_id,omitempty"`
+	RevocationScope        string                 `json:"revocation_scope,omitempty"`
+	RevocationPendingScope string                 `json:"revocation_pending_scope,omitempty"`
+	RenewalSupported       bool                   `json:"renewal_supported,omitempty"`
+	ReissueSupported       bool                   `json:"reissue_supported"`
 	// ValidityDays is the purchased base order validity in days. It is not the authoritative
 	// issued certificate lifetime for provider-linked renewals. Use ValidFrom and ValidUntil
 	// to determine the effective issued lifetime.
@@ -173,13 +175,13 @@ type TLSProduct struct {
 
 // TLSCertificateRequest is the order or renewal payload for POST /tls/certificate.
 type TLSCertificateRequest struct {
-	SKU          string   `json:"sku"`
-	CommonName   string   `json:"common_name"`
-	DNSNames     []string `json:"dns_names,omitempty"`
-	CSR          string   `json:"csr"`
-	DCVMethod    string   `json:"dcv_method"`
-	DCVEmails    []string `json:"dcv_emails,omitempty"`
-	Organization int      `json:"org_id,omitempty"`
+	SKU          string                 `json:"sku"`
+	CommonName   string                 `json:"common_name"`
+	DNSNames     []string               `json:"dns_names,omitempty"`
+	CSR          string                 `json:"csr"`
+	DCVMethod    string                 `json:"dcv_method"`
+	DCVEmails    []string               `json:"dcv_emails,omitempty"`
+	Organization tlsmeta.OrganizationID `json:"org_id,omitempty"`
 	// RenewalOfCertificateID turns a regular order into a provider-linked renewal of an existing
 	// public certificate id. Any remaining-validity bonus is decided by the provider and is not
 	// guaranteed until the new certificate has actually been issued.
 
@@ -134,7 +134,7 @@ func TestGetCertificateParsesCurrentOpenAPIFields(t *testing.T) {
 				"pending_reason": "validation_pending",
 				"pending_message": "The TLS certificate order is waiting for domain validation.",
 				"completion_url": "https://dash.regfish.com/my/certs/7K9QW3M2ZT8HJ/complete",
-				"organization_id": 42,
+				"organization_id": "hdl_ABCDEFGHJKLMN",
 				"revocation_scope": "certificate",
 				"revocation_pending_scope": "order",
 				"renewal_supported": true,
@@ -151,7 +151,7 @@ func TestGetCertificateParsesCurrentOpenAPIFields(t *testing.T) {
 				"order_cancellation_mode": "revoke_issued",
 				"order_cancellable_until": "2026-03-20T10:00:00Z",
 				"organization": {
-					"id": 42,
+					"id": "hdl_ABCDEFGHJKLMN",
 					"name": "Example GmbH",
 					"status": "validated",
 					"usable_for_ordering": true
@@ -183,7 +183,7 @@ func TestGetCertificateParsesCurrentOpenAPIFields(t *testing.T) {
 	if cert.ActionRequired {
 		t.Fatalf("ActionRequired = %v, want false", cert.ActionRequired)
 	}
-	if cert.PendingReason != "validation_pending" || cert.OrganizationID != 42 {
+	if cert.PendingReason != "validation_pending" || cert.OrganizationID != "hdl_ABCDEFGHJKLMN" {
 		t.Fatalf("pending/org fields = %#v", cert)
 	}
 	if cert.CompletionURL != "https://dash.regfish.com/my/certs/7K9QW3M2ZT8HJ/complete" {
@@ -206,3 +206,44 @@ func TestGetCertificateParsesCurrentOpenAPIFields(t *testing.T) {
 		t.Fatalf("OrderCancellableUntil = %v, want %v", cert.OrderCancellableUntil, wantUntil)
 	}
 }
+
+func TestGetCertificateAcceptsLegacyNumericOrganizationID(t *testing.T) {
+	server, err := testutil.NewLocalServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{
+			"success": true,
+			"response": {
+				"id": "7K9QW3M2ZT8HJ",
+				"status": "pending",
+				"common_name": "example.com",
+				"product": "SecureSite",
+				"provider": "digicert",
+				"dns_names": ["example.com"],
+				"action_required": true,
+				"pending_reason": "organization_required",
+				"pending_message": "Complete the organization and contact validation in the regfish Console.",
+				"completion_url": "https://dash.regfish.com/my/certs/7K9QW3M2ZT8HJ/complete",
+				"organization_id": 42,
+				"certificate_pem_available": false
+			}
+		}`))
+	}))
+	if err != nil {
+		t.Fatalf("NewLocalServer() error = %v", err)
+	}
+	defer server.Close()
+
+	client, err := NewClient("secret", server.URL, "certbro/test")
+	if err != nil {
+		t.Fatalf("NewClient() error = %v", err)
+	}
+	client.HTTPClient = server.Client()
+
+	cert, err := client.GetCertificate(context.Background(), "7K9QW3M2ZT8HJ")
+	if err != nil {
+		t.Fatalf("GetCertificate() error = %v", err)
+	}
+	if cert.OrganizationID != "42" {
+		t.Fatalf("cert.OrganizationID = %q, want legacy id converted to string", cert.OrganizationID)
+	}
+}