EJBCA is configured to have an RA alias that has a CA associated with it that was signed by a root CA
When sending a cmp request to an RA alias using pbe protection that has a certificate signed by a rootCA, we expect that the response should include the rootCA and any intermediate Certificates in the extraCerts field. However, this field is empty.
I believe the issue lies in CmpResponseMessage. Starting from line 375 if the response message expects to use pbe protection, it will run the method protectPKIMessageWithPBE, and in this method it will expect that the pkiMessage will include its extra certs - however, these certs have not been set on the PKIMessage - in fact, for signature protection, it will not set the extracerts on the pkimessage either - instead it will create a list of extra certs and call CmpMessageHelper.signPKIMessage with this list passed through as a variable.
Without the ability for pbe protected response to include the extra certs, it becomes impossible to build a correct certChain for a certificate signed by an intermediate CA rather than a rootCA.