when upgrading and migrating from peer-backed vault to secrets-backed vault, certhandler regenerates the privkey because it can't find one in the new (current) vault, but it migrates the old csr over.
Consequently the csr is signed with an outdated and lost privkey.
Solution
on upgrade, after migrating the vault, if we have a csr but NO private key in the vault, we know the CSR is signed by an outdated privkey. Renew it.
Issue
when upgrading and migrating from peer-backed vault to secrets-backed vault, certhandler regenerates the privkey because it can't find one in the new (current) vault, but it migrates the old csr over. Consequently the csr is signed with an outdated and lost privkey.
Solution
on upgrade, after migrating the vault, if we have a csr but NO private key in the vault, we know the CSR is signed by an outdated privkey. Renew it.
Tandem pr
Testing Instructions