AlexHx8472
commented
3 months ago Hey Aircookie, my intention was, that the issued certificates would also be deleted from the active DB on Issuing CA deletion. Of course showing a prominent warning before deletion, especially if certificates were issued. Thus, this issue would not occur. A full reimport would then be possible, since no dependencies are in the DB (in regards to the certificate tree / graph).
I would also suggest adding a feature to set an Issuing CA to an inactive state, thus keeping the certificates in the DB for both the Issuing CAs and possible CRLs.
Please give a concise description of the bug Import of an Issuing CA which had previously been imported and deleted again is unsuccessful if such CA issued a certificate.
ValueError('Certificate already stored in the database.')is raised in l. 1230 of/pki/models.pyWhat are the steps to reproduce the issue? 1) Add a new issuing CA (e.g. with following .pem files)
2) Delete the CA 3) Add the CA again. Note this works as expected. 4) Add a domain profile for this CA 5) Add and onboard a new
Manual downloaddevice using this domain profile (thus issuing a certificate from the added CA) 6) Delete the CA 7) Add the CA again.ValueError('Certificate already stored in the database.')is raised.What behavior did you expect? As a user, I would have expected the CA to be (re-)imported correctly.
As a developer, I would have expected the deletion of Issuing CAs with issued certificates to be prohibited. Instead, the IssuingCA instance is deleted but the underlying certificates are (correctly) kept, preventing re-import of that CA at a later time (which in itself is also correct behavior since it prevents addition of duplicate CAs).
Which version does the issue occur in?
mainOptional notes and context Suggested solution: Inhibit deletion of CAs if there are any certificates issued by it in the database.