Do not send expiration notification when certificate has been renewed for entity

[3keyroman]

I am looking to extend CertificateExpirationNotifierWorker to not send notification when renewed certificate exists.
The idea is to check that there is a newer certificate issued for the same subject DN or end entity for which the certificate was issued.

I would like to know if this is a good idea that will work consistently for all types of certificates and you can maintain it further. I am sure you were thinking about this because it is a typical configuration users would like to have.

The idea is to create new worker that will have the following as input:

• List of end entities profiles to check, where user can select multiple
• Time before notification is sent (this is the same property as in CertificateExpirationNotifierWorker)

The worker will get all certificates based on selected end entity profile that are going to expiry and additionally check if newer exists, i.e.:

String fingerprint = (String) next[0];
String username = (String) next[1];

String subjectDN = endEntityAccessSession.findByUsername(username).getSubjectDN();
X509Certificate latestIssued = certificateStoreSession.findLatestX509CertificateBySubject(subjectDN);
X509Certificate found = (X509Certificate) certificateStoreSession.findCertificateByFingerprint(fingerprint);

byte[] latestIssuedEncoded = latestIssued.getEncoded();
byte[] foundEncoded = found.getEncoded();
if (Arrays.equals(foundEncoded, latestIssuedEncoded)) {
    // Get the certificate through a session bean
    log.debug("Found a certificate we should notify. Username=" + username + ", fp=" + fingerprint);
    
    final String subject = "Certificate expiration notification - without renewed";
    final String message = "Certificate with: \n"
            + "fingerprint: " + fingerprint + "\n"
            + "with the serial number: " + latestIssued.getSerialNumber().toString(16) + "\n"
            + "username: " + username + "\n"
            + "is going to expire and does not have any renewed certificate.";
    final MailActionInfo mailActionInfo = new MailActionInfo(null, subject, message);
    sendEmail(mailActionInfo, ejbs);
}

Because of the findLatestX509CertificateBySubject method, is this going to work only for X.509 certificates? Should there be implemented more general method like findLatestCertificateBySubject or similar to get Certificate instead of X509Certificate?

My proof of concept for X.509 certificates works as expected, but I am not 100% sure that it does not have any side effects or unexpected behaviour. I can create PR if you think this is good approach.

[primetomas]

It's a new service you are defining right? What would be the name EndEntityCertificateExpirationNotifier?

If the target is end entities as such isn't it enough to get all end entities that uses an end entity profile and then get the latest certificate for this end entity?

[primetomas]

The original service, that you improve, look for certificate issued from CAs and certificate profiles. Just want the clarification why you chose end entity profile here?

[3keyroman]

I would like to select end entity profiles that should be checked independently of their certificate profiles and CAs. Certificate profiles and CAs can be configured for multiple end entity profiles and one end entity profile can have multiple certificate profiles and CAs.

Do you think it does not make sense?

[primetomas]

I think it depends on the use case and how you have set up issuance and profiles. Would it make sense to add end entity profiles in addition to CA and certificate profile, and you can filter any way you like. Having "all" on CA and certificate profile would then give only the end entity profile.
If you think this, able to do a lot of selections, would be interesting. I'm thinking that your suggestion of looking up the end entity to find their latest certificate could be a new configuration option in the "old" service?

[3keyroman]

Yes, that is an option how to do it and we can update the current implementation without implementing new service.

We should include checkbox to select if you do not want to notify when there is a renewed certificate.

And it comes to the same question I had before, am I able to identify renewal for all types of certificates? And also in every configuration of the service I can make? Is this mechanism in the code above using endEntityAccessSession enough?

Do you see anything that can go wrong or will not behave according to the EJBCA principles?

[primetomas]

Our principles are flexibility :-). Therefore things can always go wrong depending on what you do. End entities can change or be deleted for example, so there will always be the possibility that end entities does not match perfectly. But in most cases it will, if the policy the PKI operates under specifies a certain way of operation. Making configuration flexible is how we usually handle very diverse use cases and policies.
We've seen a single end entity issuing all certificates in a system, not tied to any specific human user or device, we've also seen a single random end entity for each certificate issued when end entities are not relevant. But in the case where an end entity represents a device/user, using endEntityAccessSession makes sense.
So if using end entity to only send notification if there is not a newer one. I think it's a good idea, it needs a separate configuration option, and clear documentation of how it works. I'm sure the workers documentation can be improved in general to explain some different use cases.