PF_PKI certificate serial number collision when mixing Web UI and SCEP issuance #8855
Description
PacketFence version
PacketFence 15.0.0 ZEN edition
Describe the bug
PF_PKI CA issues new certificates with duplicate serial numbers when alternating between creating certificates using the same certificate template manually via web UI and when creating certs via SCEP.
The same issue does not occur if certificates are created exclusively via web UI.
To Reproduce
Steps to reproduce the behavior:
- Fresh installation of PF 15.0.0 ZEN edition.
- Create a new CA and certificate template via web UI. Enable SCEP on the certificate template.
- Create a new certificate using the template via web UI. Result: The new certificate is issued with Serial Number 1.
- Revoke that certificate via web UI.
- Create a CSR via CLI (e.g., with
openssl) and issue a SCEP request against the PF_PKI SCEP endpoint that's associated with the template you just created.
sscep enroll -c ./ca.crt -k ./private.key -r ./mycsr.csr -u http://127.0.0.1/scep/<scep_template_name> -S sha1 -E aes256 -l ./cert.crt- PF_PKI issues a new certificate via SCEP. Result: The new certificate is issued with Serial Number 1 (Collision).
Screenshots
Output from MariaDB that exemplifies how two different certs (with unique id's), that were issued by the same CA, have matching serial numbers:
MariaDB [(none)]> SELECT id,created_at,ca_id,ca_name,serial_number,subject FROM pf.pki_certs;
+----+-------------------------+-------+----------------+---------------+-----------------------------------------------------------------------+
| id | created_at | ca_id | ca_name | serial_number | subject |
+----+-------------------------+-------+----------------+---------------+-----------------------------------------------------------------------+
| 2 | 2025-12-14 15:57:09.451 | 1 | Bug Testing CA | 1 | CN=john.doe,OU=QA Tester,O=Bug Corp.,L=Los Angeles,ST=California,C=US |
+----+-------------------------+-------+----------------+---------------+-----------------------------------------------------------------------+
1 row in set (0.000 sec)
MariaDB [(none)]> SELECT id,created_at,ca_id,ca_name,serial_number,subject FROM pf.pki_revoked_certs;
+----+-------------------------+-------+----------------+---------------+-------------------+
| id | created_at | ca_id | ca_name | serial_number | subject |
+----+-------------------------+-------+----------------+---------------+-------------------+
| 1 | 2025-12-14 15:43:33.809 | 1 | Bug Testing CA | 1 | CN=chester.tester |
+----+-------------------------+-------+----------------+---------------+-------------------+
1 row in set (0.000 sec)Expected behavior
Each certificate that's issued by the same CA must have a unique serial number as described in RFC 5820:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2
When certificate serial numbers collide it can cause issues with certificate revocation, etc.
Additional context
If needed I can provide additional logs. I was able to locate the SCEP request in /usr/local/pf/logs/packetfence.log, but did find any other info about the certificate issuance process.