diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder
index fa42b7d..a2d9a91 100644
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.21.5_2024-01-17 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.21.5_2024-02-14 AS boulder-tools
 
 FROM ubuntu:focal
 
diff --git a/build/build.sh b/build/build.sh
index 27c7ce0..eb11b8a 100755
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-02-06"
+boulderTag="release-2024-02-20"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 
diff --git a/build/tmp.patch b/build/tmp.patch
index 6a3a86f..04b3de2 100644
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index b61c84199..a0c99bed4 100644
+index 423aed0ff..e3389ca21 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -5,7 +5,7 @@ services:
@@ -25,7 +25,7 @@ index b61c84199..a0c99bed4 100644
 +      - nginx_html:/opt/wwwstatic
 +      - softhsm:/var/lib/softhsm/tokens:cached
      networks:
-       bluenet:
+       bouldernet:
          ipv4_address: 10.77.77.77
 @@ -51,6 +48,7 @@ services:
      depends_on:
@@ -47,7 +47,7 @@ index b61c84199..a0c99bed4 100644
      networks:
        consulnet:
          ipv4_address: 10.55.55.10
-       bluenet:
+       bouldernet:
          ipv4_address: 10.77.77.10
 -    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 +    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
@@ -58,7 +58,7 @@ index b61c84199..a0c99bed4 100644
 -    image: *boulder_image
 +    image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
      networks:
-       - bluenet
+       - bouldernet
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
 -      - /home/labca/admin:/go/src/labca
@@ -101,7 +101,7 @@ index b61c84199..a0c99bed4 100644
 -    image: *boulder_image
 +    image: ghcr.io/hakwerk/labca-control:${LABCA_IMAGE_VERSION:-latest}
      networks:
-       - bluenet
+       - bouldernet
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
 -      - /home/labca/admin/data:/opt/labca/data
@@ -140,4 +140,4 @@ index b61c84199..a0c99bed4 100644
 +  softhsm:
  
  networks:
-   bluenet:
+   # This network is primarily used for boulder services. It is also used by
diff --git a/install b/install
index 217e97a..1043cf8 100755
--- a/install
+++ b/install
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-02-06"
+boulderTag="release-2024-02-20"
 
 # Feature flags
 flag_skip_redis=true
@@ -743,9 +743,8 @@ startup() {
     fi
     msg_info "$msg (this will take a while!!)"
 
-    docker compose pull -q &>>$installLog
-
     export BOULDER_TOOLS_TAG=$(grep go1. .github/workflows/boulder-ci.yml | head -1 | sed -e "s/\s*- //")
+    docker compose pull -q &>>$installLog
     docker pull -q letsencrypt/boulder-tools:$BOULDER_TOOLS_TAG &>>$installLog
 
     # Cleanup any remaining containers with old names
@@ -787,6 +786,8 @@ startup() {
 
     [ -d /home/labca/control_logs ] || mkdir -p /home/labca/control_logs
 
+    docker network rm -f labca_bluenet &>>$installLog || true
+
     # Restore MySQL data when moving from boulder-bmysql-1 to labca-bmysql-1
     if [ -z "$(docker volume ls | grep labca_dbdata)" ] && [ ! -z "$(docker volume ls | grep boulder_dbdata)" ]; then
         docker volume create labca_dbdata &>>$installLog
diff --git a/patch-cfg.sh b/patch-cfg.sh
index 1682726..ea3fb24 100755
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -90,4 +90,14 @@ done
 
 sed -i -e "s/names/name\(s\)/" config/expiration-mailer.gotmpl
 
-rm test-ca2.pem
+if [ ! -e "test-ca.key-pkcs11.json" ]; then
+    cat > test-ca.key-pkcs11.json <<EOL
+{
+    "module": "/usr/lib/softhsm/libsofthsm2.so",
+    "tokenLabel": "intermediate signing key (rsa)",
+    "pin": "1234"
+}
+EOL
+fi
+
+rm -f test-ca2.pem
diff --git a/patch.sh b/patch.sh
index 1fb1d07..45cdec7 100755
--- a/patch.sh
+++ b/patch.sh
@@ -32,6 +32,7 @@ $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations2.patch
 $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch
 $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch
+$SUDO patch -p1 < $cloneDir/patches/issuance_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/linter_linter.patch
 $SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch
diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch
index 6f027a7..9101c2a 100644
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,17 +1,8 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 3232ab419..ce6f76e36 100644
+index 35b7caff7..31d27857f 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
- 	}
- 
- 	// Add the Issuing Distribution Point extension.
--	idp, err := makeIDPExt(ci.idpBase, issuer.NameID(), shard)
-+	idp, err := makeIDPExt(ci.idpBase, issuer.NameID())
- 	if err != nil {
- 		return fmt.Errorf("creating IDP extension: %w", err)
- 	}
-@@ -146,8 +146,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+@@ -143,8 +143,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
  				builder = strings.Builder{}
  			}
  		}
@@ -23,21 +14,4 @@ index 3232ab419..ce6f76e36 100644
 +		}
  	}
  
- 	template.RevokedCertificateEntries = rcs
-@@ -247,14 +249,14 @@ type issuingDistributionPoint struct {
- // makeIDPExt returns a critical IssuingDistributionPoint extension containing a
- // URI built from the base url, the issuer's NameID, and the shard number. It
- // also sets the OnlyContainsUserCerts boolean to true.
--func makeIDPExt(base string, issuer issuance.NameID, shardIdx int64) (*pkix.Extension, error) {
-+func makeIDPExt(base string, issuer issuance.NameID) (*pkix.Extension, error) {
- 	val := issuingDistributionPoint{
- 		DistributionPoint: distributionPointName{
- 			[]asn1.RawValue{ // GeneralNames
- 				{ // GeneralName
- 					Class: 2, // context-specific
- 					Tag:   6, // uniformResourceIdentifier, IA5String
--					Bytes: []byte(fmt.Sprintf("%s/%d/%d.crl", base, issuer, shardIdx)),
-+					Bytes: []byte(fmt.Sprintf("%s/%d.crl", base, issuer)),
- 				},
- 			},
- 		},
+ 	req.Entries = rcs
diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch
index 009de54..f46a709 100644
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,10 +1,10 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 7fc8f8de5..2ce16d12c 100644
+index 928c11bec..0d59c1228 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -30,8 +30,6 @@ services:
          ipv4_address: 10.77.77.77
-       rednet:
+       integrationtestnet:
          ipv4_address: 10.88.88.88
 -      redisnet:
 -        ipv4_address: 10.33.33.33
@@ -65,7 +65,7 @@ index 7fc8f8de5..2ce16d12c 100644
    bconsul:
      image: hashicorp/consul:1.15.4
      volumes:
-@@ -159,13 +117,6 @@ networks:
+@@ -171,13 +129,6 @@ networks:
        config:
          - subnet: 10.88.88.0/24
  
diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch
index e426b2b..5e1d0c0 100644
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 2ce16d12c..b61c84199 100644
+index 0d59c1228..85791692b 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,10 +1,11 @@
@@ -67,7 +67,7 @@ index 2ce16d12c..b61c84199 100644
 +    volumes:
 +      - dbdata:/var/lib/mysql
      networks:
-       bluenet:
+       bouldernet:
          aliases:
 @@ -68,22 +77,11 @@ services:
      # small.
@@ -86,7 +86,7 @@ index 2ce16d12c..b61c84199 100644
 -    depends_on:
 -      - bmysql
 -    networks:
--      bluenet:
+-      bouldernet:
 -        aliases:
 -          - boulder-proxysql
 +      driver: "json-file"
@@ -98,19 +98,15 @@ index 2ce16d12c..b61c84199 100644
    bconsul:
      image: hashicorp/consul:1.15.4
 @@ -95,12 +93,73 @@ services:
-       bluenet:
+       bouldernet:
          ipv4_address: 10.77.77.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 +    restart: always
- 
--  bjaeger:
--    image: jaegertracing/all-in-one:1.50
++
 +  gui:
 +    image: *boulder_image
-     networks:
--      bluenet:
--        ipv4_address: 10.77.77.17
-+      - bluenet
++    networks:
++      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin:/go/src/labca
@@ -131,12 +127,16 @@ index 2ce16d12c..b61c84199 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
-+
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
 +  nginx:
 +    image: nginx:1.25.3
 +    restart: always
-+    networks:
-+      - bluenet
+     networks:
+-      bouldernet:
+-        ipv4_address: 10.77.77.17
++      - bouldernet
 +    ports:
 +      - 80:80
 +      - 443:443
@@ -148,7 +148,7 @@ index 2ce16d12c..b61c84199 100644
 +  control:
 +    image: *boulder_image
 +    networks:
-+      - bluenet
++      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin/data:/opt/labca/data
@@ -174,4 +174,4 @@ index 2ce16d12c..b61c84199 100644
 +  dbdata:
  
  networks:
-   bluenet:
+   # This network is primarily used for boulder services. It is also used by
diff --git a/patches/issuance_crl.patch b/patches/issuance_crl.patch
new file mode 100644
index 0000000..ee89fe2
--- /dev/null
+++ b/patches/issuance_crl.patch
@@ -0,0 +1,13 @@
+diff --git a/issuance/crl.go b/issuance/crl.go
+index 2f36d695c..c9c2a6548 100644
+--- a/issuance/crl.go
++++ b/issuance/crl.go
+@@ -90,7 +90,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) {
+ 	if req.DeprecatedIDPBaseURL != "" {
+ 		// TODO(#7296): Remove this fallback once CCADB and all non-expired certs
+ 		// contain the new-style CRLDP URL instead.
+-		idps = append(idps, fmt.Sprintf("%s/%d/%d.crl", req.DeprecatedIDPBaseURL, i.NameID(), req.Shard))
++		idps = append(idps, fmt.Sprintf("%s/%d.crl", req.DeprecatedIDPBaseURL, i.NameID()))
+ 	}
+ 	idp, err := makeIDPExt(idps)
+ 	if err != nil {
diff --git a/patches/linter_linter.patch b/patches/linter_linter.patch
index 3f7866e..accf542 100644
--- a/patches/linter_linter.patch
+++ b/patches/linter_linter.patch
@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index b7a9d11d..8cdc5702 100644
+index 07ac8b029..bd0abd93e 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -193,10 +193,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -199,10 +199,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
  		SubjectKeyId:                realIssuer.SubjectKeyId,
  		URIs:                        realIssuer.URIs,
  		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,
diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch
index 78ddc7d..d1f366d 100644
--- a/patches/test_config_ca.patch
+++ b/patches/test_config_ca.patch
@@ -1,11 +1,12 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index 1233a9c95..3c4a0a3ca 100644
+index 53ae91f2d..1937e5580 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
-@@ -59,35 +59,13 @@
+@@ -58,36 +58,14 @@
+ 				"maxValidityBackdate": "1h5m"
  			},
  			"issuers": [
- 				{
+-				{
 -					"useForRSALeaves": false,
 -					"useForECDSALeaves": true,
 -					"issuerURL": "http://127.0.0.1:4001/aia/issuer/5214744660557630",
@@ -16,13 +17,13 @@ index 1233a9c95..3c4a0a3ca 100644
 -						"numSessions": 2
 -					}
 -				},
--				{
+ 				{
  					"useForRSALeaves": true,
  					"useForECDSALeaves": true,
  					"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
  					"ocspURL": "http://127.0.0.1:4002/",
  					"location": {
- 						"configFile": "test/test-ca.key-pkcs11.json",
+-						"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
 -						"certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
 -						"numSessions": 2
 -					}
@@ -33,8 +34,9 @@ index 1233a9c95..3c4a0a3ca 100644
 -					"issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
 -					"ocspURL": "http://127.0.0.1:4002/",
 -					"location": {
--						"configFile": "test/test-ca.key-pkcs11.json",
+-						"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
 -						"certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
++						"configFile": "test/test-ca.key-pkcs11.json",
 +						"certFile": "test/test-ca.pem",
  						"numSessions": 2
  					}
diff --git a/patches/va_http.patch b/patches/va_http.patch
index c863656..f1222e6 100644
--- a/patches/va_http.patch
+++ b/patches/va_http.patch
@@ -1,8 +1,8 @@
 diff --git a/va/http.go b/va/http.go
-index 8700b2a03..6583710fe 100644
+index 78df8bf42..db281855c 100644
 --- a/va/http.go
 +++ b/va/http.go
-@@ -333,7 +333,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
+@@ -332,7 +332,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
  	}
  
  	if _, err := iana.ExtractSuffix(reqHost); err != nil {
diff --git a/patches/va_va.patch b/patches/va_va.patch
index dc2858a..d9fc804 100644
--- a/patches/va_va.patch
+++ b/patches/va_va.patch
@@ -1,8 +1,8 @@
 diff --git a/va/va.go b/va/va.go
-index 103896574..2e120ab52 100644
+index dd743b593..b74a313f0 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -264,6 +264,7 @@ type ValidationAuthorityImpl struct {
+@@ -265,6 +265,7 @@ type ValidationAuthorityImpl struct {
  	maxRemoteFailures  int
  	accountURIPrefixes []string
  	singleDialTimeout  time.Duration
@@ -10,7 +10,7 @@ index 103896574..2e120ab52 100644
  
  	metrics *vaMetrics
  }
-@@ -279,6 +280,7 @@ func NewValidationAuthorityImpl(
+@@ -280,6 +281,7 @@ func NewValidationAuthorityImpl(
  	clk clock.Clock,
  	logger blog.Logger,
  	accountURIPrefixes []string,
@@ -18,7 +18,7 @@ index 103896574..2e120ab52 100644
  ) (*ValidationAuthorityImpl, error) {
  
  	if len(accountURIPrefixes) == 0 {
-@@ -305,6 +307,7 @@ func NewValidationAuthorityImpl(
+@@ -306,6 +308,7 @@ func NewValidationAuthorityImpl(
  		// used for the DialContext operations that take place during an
  		// HTTP-01 challenge validation.
  		singleDialTimeout: 10 * time.Second,