Skip to content

Certificate renewal bypasses CA-issuance policy denial #6971

Description

@Abdul-Moiz31

Product

Certificate Manager (PKI)

Describe the bug

When renewing a certificate via certificate-v3-service.ts, the renewal path validates the request against the certificate policy via certificatePolicyService.validateCertificateRequest, but the certificateRequest object it builds (around certificate-v3-service.ts:2417-2434) never populates basicConstraints from originalCert.isCA.

The policy's CA-related checks in validateRequestAgainstPolicy (certificate-policy-service.ts:~307) are gated on request.basicConstraints?.isCA === true, which is always falsy for a renewal request — so a policy that denies CA issuance is silently bypassed on renewal, even though it's correctly enforced on direct issuance (certificate-v3-service.ts:1290, :1608) and on approval (certificate-approval-fns.ts:393).

To Reproduce

  • Create a certificate policy with CA issuance allowed (basicConstraints.isCA: "allowed").
  • Issue a CA certificate under that policy.
  • Update the policy to deny CA issuance (basicConstraints.isCA: "denied").
  • Renew the previously-issued CA certificate.

Expected behavior

Renewal should be rejected with the same "CA certificate issuance is not allowed by this policy" error that direct issuance and approval paths throw.

Actual behavior

Renewal succeeds, issuing a new CA-flagged certificate despite the policy now denying it.

Screenshots

No response

Deployment Type

Infisical Cloud also : noting it reproduces on self-hosted too (since the code path is identical) so triage doesn't dismiss it as cloud-only.

Additional context

The three existing CA-policy checks (certificate-v3-service.ts:1290, :1608, certificate-approval-fns.ts:393) are near-identical inline copies rather than calls to one shared function — worth extracting into a single validateCaIssuancePolicy(ca, policy, shouldIssueAsCA) helper in certificate-issuance-utils.ts so the renewal path (and any future issuance path) can't miss it again.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions