Product
Certificate Manager (PKI)
Describe the bug
When renewing a certificate via certificate-v3-service.ts, the renewal path validates the request against the certificate policy via certificatePolicyService.validateCertificateRequest, but the certificateRequest object it builds (around certificate-v3-service.ts:2417-2434) never populates basicConstraints from originalCert.isCA.
The policy's CA-related checks in validateRequestAgainstPolicy (certificate-policy-service.ts:~307) are gated on request.basicConstraints?.isCA === true, which is always falsy for a renewal request — so a policy that denies CA issuance is silently bypassed on renewal, even though it's correctly enforced on direct issuance (certificate-v3-service.ts:1290, :1608) and on approval (certificate-approval-fns.ts:393).
To Reproduce
- Create a certificate policy with CA issuance allowed (basicConstraints.isCA: "allowed").
- Issue a CA certificate under that policy.
- Update the policy to deny CA issuance (basicConstraints.isCA: "denied").
- Renew the previously-issued CA certificate.
Expected behavior
Renewal should be rejected with the same "CA certificate issuance is not allowed by this policy" error that direct issuance and approval paths throw.
Actual behavior
Renewal succeeds, issuing a new CA-flagged certificate despite the policy now denying it.
Screenshots
No response
Deployment Type
Infisical Cloud also : noting it reproduces on self-hosted too (since the code path is identical) so triage doesn't dismiss it as cloud-only.
Additional context
The three existing CA-policy checks (certificate-v3-service.ts:1290, :1608, certificate-approval-fns.ts:393) are near-identical inline copies rather than calls to one shared function — worth extracting into a single validateCaIssuancePolicy(ca, policy, shouldIssueAsCA) helper in certificate-issuance-utils.ts so the renewal path (and any future issuance path) can't miss it again.
Product
Certificate Manager (PKI)
Describe the bug
When renewing a certificate via certificate-v3-service.ts, the renewal path validates the request against the certificate policy via
certificatePolicyService.validateCertificateRequest, but the certificateRequest object it builds (around certificate-v3-service.ts:2417-2434) never populates basicConstraints from originalCert.isCA.The policy's CA-related checks in validateRequestAgainstPolicy (certificate-policy-service.ts:~307) are gated on request.basicConstraints?.isCA === true, which is always falsy for a renewal request — so a policy that denies CA issuance is silently bypassed on renewal, even though it's correctly enforced on direct issuance (certificate-v3-service.ts:1290, :1608) and on approval (certificate-approval-fns.ts:393).
To Reproduce
Expected behavior
Renewal should be rejected with the same "CA certificate issuance is not allowed by this policy" error that direct issuance and approval paths throw.
Actual behavior
Renewal succeeds, issuing a new CA-flagged certificate despite the policy now denying it.
Screenshots
No response
Deployment Type
Infisical Cloud also : noting it reproduces on self-hosted too (since the code path is identical) so triage doesn't dismiss it as cloud-only.
Additional context
The three existing CA-policy checks
(certificate-v3-service.ts:1290, :1608, certificate-approval-fns.ts:393)are near-identical inline copies rather than calls to one shared function — worth extracting into a single validateCaIssuancePolicy(ca, policy, shouldIssueAsCA) helper in certificate-issuance-utils.ts so the renewal path (and any future issuance path) can't miss it again.