When the user is providing an externally-signed cert (i.e. renewing an externally-signed CA or switching from self-signed to externally-signed) we should check that the Subject DN attribute encodings are the same on the old and new certificates.
For the external -> self-signed case, because we call Dogtag to issue the cert, all we can do is generate a CSR with the same attribute encodings (this we do) and hope that Dogtag respects them (this is the bug that was fixed in RHEL 7.5). But we can check the new certificate post-issuance, and abort at that stage if the encodings differ (although such a situation is itself a BUG, but proceeding with the new attribute encodings could cause more subtle, harder to solve problems than a failure to renew because of the mismatch).
See https://frasertweedale.github.io/blog-redhat/posts/2018-03-15-x509-dn-attribute-encoding.html for an explanation of why same subject DN with different attribute encodings is a problem.
Metadata Update from @fbarreto: - Issue priority set to: normal
Login to comment on this ticket.