[BUG] RelatedObjectDoesNotExist when trying to revoke a certficate / delete a device whose CA is deleted

[Aircoookie]

Please give a concise description of the bug Device LDevID certificates are in a partly invalid state after deleting the associated issuing CA. This means LDevID revocation and device deletion (as this internally revokes) will fail.

What are the steps to reproduce the issue?

• Setup Issuing CA, domain, device
• Onboard device (any method)
• Delete issuing CA
• Observe that both the issuing CA and the domain are correctly deleted
• Edit the device domain to a new one (on a different CA)
• Try to revoke the LDevID
• pki.models.CertificateModel.issuing_ca_model.RelatedObjectDoesNotExist: CertificateModel has no issuing_ca_model

Second way:

• Setup Issuing CA, domain, device
• Onboard device (any method)
• Delete issuing CA
• Delete device (that no longer has domain/CA set)
• pki.models.CertificateModel.issuing_ca_model.RelatedObjectDoesNotExist: CertificateModel has no issuing_ca_model

What behavior did you expect?

This is subject to discussion. Regarding domains, I would either:

• keep domain on delete and allow selection of a new CA
• not allow deletion of CA as long as a domain is configured to this CA (preferred, but only once rollover is implemented)
• display a warning on CA deletion on what domains it will delete All of these options would in my opinion be compatible with offering a CA rollover process in the domain.

Options regarding CA:

• not allow CA deletion as long as there are active issued certificates (but even after that CA may be needed for CRLs)
• allow setting CA to 'Inactive' state where it cannot issue new certs but can maintain CRL (this may be handled on domain level, we may consider adding a "Certificate Issuance allowed" option. It could even distinguish between initial enrollment and renewal, and thus be used as an additional layer of security if no onboarding of new devices is expected)
• allow CA deletion, on EE cert revocation attempt display a warning "Unable to revoke, the associated Issuing CA is no longer configured". (I would prefer this as the most user friendly way, but it needs to be verified if not revoking in this case would be valid)
• allow revocation only once a new CA/domain is configured (e.g. via in-domain CA rollover process) and add the revoked cert to the CRL of the new CA (check if this is valid according to RFCs or if CRL can only contain SN issued by the same CA)

Which version does the issue occur in? main

Optional notes and context We do have a similar problem if the CA expires, though this would definitely warrant skipping mandatory EE revocation as the certificate is no longer valid anyway once the CA cert is no longer valid.

[Aircoookie]

I addressed this to some degree in the auto-gen-pki branch now, as in that attempting to revoke a certificate without an associated CA will cause an error log entry and message instead of an unhandled exception. It sets the device onboarding state to 'Failed', this behavior is open for discussion.

This approach should ideally still be enhanced by further safeguards e.g. as outlined above.