When making a request in the RA Web, uploading a CSR, this CSR is added to the End Entity as CERTIFICATE_REQUEST in ExtendedInformation. The main purpose is so the uploaded CSR can be used to issue a certificate after a lengthy approval process.
After issuing however, this CSR is never cleared, making it impossible to enroll the same end entity using a new CSR. The stored CSR is always used.
There may be a point in storing the CSR, mainly for audit purposes as one can see what CSR was used to issue a certain end entity. This works perfect when random usernames are used in approval workflows (i.e. make a request uploading a CSR, using a random end entity username), because then one end entity corresponds to one request/issuance.
Then using an End Entity centric work-flow, i.e. an end entity is a server or a user, this does not work however. In the end entity centric work-flow it is expected that the same end entity gets new certificates as the old one expires, or one end entity can get multiple certificates (one authentication and one signature for example).
There are several way to reproduce, one on the linked issue, and a very simple here:
- have CA, EE profile, cert profile, not requiring any approvals.
- use RA Web Enroll->Make New request (as superadmin) to add a new end entity, uploading a CSR (Key-pair generation->provided by user), username csrtest in my example.
- Issue the certificate by "Download PEM" in the bottom of the screen.
- The CSR can be seen in the database or the end entity "select * from UserData where username='csrtest';"
- Edit the end entity in order to issue a new certificate (Search->End entities->View->Edit, status New and new enrollment code)
- Try to enroll with a new CSR by Enroll->Use Username, enter username and enrollment code and click "Check"
- You can not upload a new CSR now, because there is already a CSR stored in the end entity, so it is not possible in the RA Web to issue a new certificate to this end entity.
We should, either:
- clear the CSR store in end entity after issuance, or
- rename the CSR entry in ExtendedInformation to something historical that we could find for audit purposes (like CERTIFICATE_REQUEST_(fingerprint of issued certificate)
Bonus would be to be able to download old CSRs in RA Web when searching for an end entity. Today you can download the stored CSR by clicking "Download CSR" when Viewing an end entity.
- Create an end entity with token type User Generated
- Issue a certificate for this end entity
- Set the status of the end entity to newGo to the RA web, choose Enroll -> Use Username
- Enter the name and the enrolment code of the end entity.
- Click "Check"
Problem: Old CSR is used, it is not possible to change CSR.
In conclusion what should be done:
- when certificate is issued, put the CSR into CertificateData->certificateRequest and clear the CSR from EndEntity->extendedInformation