Currently, when we start the issuance of a certificate for an end entity, a "local" database transaction is started in order to be able to perform rollback in case of database failure.
However, during this transaction EJBCA will also communicate with external systems. There is a couple of reasons this might be a bad idea:
- Calls to external systems may take too long, resulting in the local transaction to be aborted.
- If doing direct publishing there is a chance that certificate gets issued, but not stored on the CA side, it then gets published to the external sources, and then something in the local database connection fails resulting in rollback. Now you have certificate in the external system, but not on the CA (so you can't revoke it). Particularly troublesome with publishing to the OCSP responder (certificate is valid on that side, but untracked in CA itself).
There might be some other cases where this happens
At least the following external communication is performed during the issuance transaction at the moment (should be updated if anything else becomes known):
- Publishing via publishers that do not have "Only publish to queue" option turned on.
Additional notes: I am not 100% sure if this is still valid issue for new EJBCA (at least for 5.0.9 it is), but I doubt that there was much change in this part of code in the meantime. But I might be wrong on this, of course, and the issue is not present anymore.