fix: fixes and improvements on PKI CAs

[carlosmonastyrski]

Context

This PR contains some fixes and improvements on PKI Certificate Authorities managment:

• Now root CAs can be created without a certificate attached to them and instead issue a certificate for them after creation
• Add new endpoint to issue root CA certificates and simplified the intermediate CAs certificate issuance so everything is centralized in a single endpoint
• Add new audit log for this new CA certificate issuance endpoint
• Update frontend to now use the centralized endpoint as well
• Small fix on self-signed certificate profiles throwing an error when fetching those with the GET profile endpoint.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors PKI certificate authority management to support deferred certificate generation. Root CAs can now be created without certificates and have certificates generated later through a new centralized endpoint.

Key Changes

• New centralized endpoint: POST /api/v1/cert-manager/ca/internal/:caId/certificate handles both root and intermediate CA certificate generation
• Deferred certificate generation: Root CAs can be created in PENDING_CERTIFICATE status and activated later
• Simplified intermediate CA flow: Frontend now uses the unified endpoint instead of separate sign + import operations
• Bug fix: Certificate profile DAL properly returns undefined for certificateAuthority when caId is null

Issues Found

• Critical logic bug (line 206-208 in service): notAfterDate calculation ignores the provided notAfter parameter and always sets it to 10 years from now
• Security concern (line 1214-1226 in service): Missing cross-project permission validation allows using parent CAs from unauthorized projects when generating intermediate certificates
• Null safety issues (lines 1293, 1303 in service): Force-unwrapping actorOrgId that may be undefined

Confidence Score: 2/5

• This PR has critical logic bugs and security vulnerabilities that must be fixed before merging
• Score reflects a critical date calculation bug that breaks certificate validity, a security vulnerability allowing cross-project CA access, and multiple null safety issues. The refactoring is well-structured but the implementation has serious issues.
• Pay close attention to backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts - contains critical bugs and security issues that must be resolved

Important Files Changed

File Analysis

Filename	Score	Overview
backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts	3/5	Added generateRootCaCertificate and generateIntermediateCaCertificate functions, modified createCa to support deferred certificate generation. Logic bug in notAfterDate calculation, missing cross-project permission validation.
backend/src/server/routes/v1/certificate-authority-routers/internal-certificate-authority-router.ts	4/5	Added new POST /:caId/certificate endpoint to centralize CA certificate generation for both root and intermediate CAs with audit logging.
backend/src/services/certificate-profile/certificate-profile-dal.ts	5/5	Fixed bug where certificateAuthority was always returned even when caId was null, now properly returns undefined for self-signed profiles.
frontend/src/pages/cert-manager/CertAuthDetailsByIDPage/components/CaGenerateRootCertModal.tsx	4/5	New modal component for generating root CA certificates with date validation and max path length configuration. Missing notBefore field in UI.

[greptile-apps]

_{13 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[gitguardian]

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
9387833	Triggered	Generic Password	0d89d70	backend/bdd/features/environment.py	View secret
8529478	Triggered	Generic High Entropy Secret	0d89d70	.env.dev.example	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}