When generating CSRs, certmonger does not necessarily encode subject the same way as in the original certificate. When renewing a CA certificate stored in a NSS database, it causes the certificate chain to break, as NSS expects the subject not to change on DER level.
Patch fixing the issue
Do you have a sample certificate that led to this problem? I'm increasingly curious about what form the subject name is taking that the (admittedly possibly-lossy) conversion to a string and then re-parsing of that string produces a different result.
Sample IPA CA certificate
It happens for CA certificates created by Dogtag on IPA install. They use UTF8String for attribute values in the subject, which are converted to PrintableString when you decode and encode them again.
Ah, that makes sense. I was wondering about attribute-to-OID conversions, but I hadn't thought about the tagging of string values. Thanks for clarifying!
Metadata Update from @nalin:
- Issue assigned to nalin
- Issue set to the milestone: 0.74
to comment on this ticket.