Skip to content

feat(pki): adds automated intermediate CA signing and auto-renewal using AD CS#5738

Merged
saifsmailbox98 merged 15 commits intomainfrom
saif/pki-91-add-external-ca-support-for-ad-cs-linked-to-internal
Mar 20, 2026
Merged

feat(pki): adds automated intermediate CA signing and auto-renewal using AD CS#5738
saifsmailbox98 merged 15 commits intomainfrom
saif/pki-91-add-external-ca-support-for-ad-cs-linked-to-internal

Conversation

@saifsmailbox98
Copy link
Copy Markdown
Contributor

@saifsmailbox98 saifsmailbox98 commented Mar 17, 2026

Context

Adds automated intermediate CA signing and auto-renewal using AD CS

Screenshots

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@linear
Copy link
Copy Markdown

linear bot commented Mar 17, 2026

PKI-91 Add External CA Support for AD CS linked to Internal Infisical Intermediate CA

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Mar 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 17, 2026
edited
Loading

Greptile Summary

This PR adds automated intermediate CA signing and auto-renewal via Azure Active Directory Certificate Services (ADCS), mirroring the existing Venafi integration. It introduces a new AzureAdCs signing config type, a BullMQ job for async certificate installation (CaAdcsInstall), an ADCS-specific HTTP client for CSR submission and polling, and the corresponding frontend install/edit forms and audit log events.

Key changes:

  • Backend: New adcs-signing-fns.ts handles CSR submission, polling, and CA chain retrieval using the ADCS web enrollment (/certsrv/) endpoints. Validity period and template fields are properly sanitized with RE2 patterns. The ca-auto-renewal-queue.ts adds a processAdcsCertificateIssuance helper and queueAdcsInstall entry point, both consistent with the Venafi design.
  • Frontend: AdcsCaInstallForm.tsx handles the initial install flow; CaSigningConfigSection.tsx adds an ADCS edit modal. The install form validates validityPeriod with a regex, but the edit modal's adcsEditSchema omits that validation, allowing invalid values (e.g. "1y") to be submitted — these are then silently accepted client-side but rejected server-side. The edit modal's helper text also lists "1y" as an example, which is not a valid format per the backend schema.
  • API/Docs: New POST /:caId/install-certificate-adcs endpoint and documentation are added.

Confidence Score: 3/5

  • Mostly safe to merge; a frontend validation gap in the ADCS edit modal should be addressed before release.
  • The backend implementation is solid — CRLF sanitization, validity period validation, error handling, and permission checks are all present. The main gap is in the frontend: the ADCS signing-config edit modal (CaSigningConfigSection.tsx) lacks the validityPeriod format validation that the install form has, and the helper text references "1y" as valid when the backend only accepts the ^\d+d$ format. This will cause confusing server-side errors for users editing the config. There are also minor RE2 convention deviations (string.match(re2Instance) instead of re2Instance.match(string)) that are consistent with how they were addressed for similar calls in the codebase.
  • frontend/src/pages/cert-manager/CertAuthDetailsByIDPage/components/CaSigningConfigSection.tsx — missing validityPeriod format validation in adcsEditSchema and misleading helper text.

Important Files Changed

Filename Overview
backend/src/services/certificate-authority/ca-signing-config/adcs-signing-fns.ts Core ADCS integration: submits CSR, polls for certificate, fetches CA chain. Uses RE2 for regex but calls native string.match(re2Instance) in two places (lines 126, 134) instead of re2Instance.match(string). CRLF sanitization, validity period validation, and request ID parsing are all implemented correctly.
backend/src/services/certificate-authority/ca-signing-config/ca-signing-config-service.ts Service layer for signing config CRUD and certificate installation. ADCS path mirrors the Venafi path: validates permissions, checks config type, validates destination config schema, and queues async install. No issues found.
backend/src/services/certificate-authority/ca-auto-renewal-queue.ts BullMQ queue processor adds ADCS issuance path parallel to the existing Venafi path. The synchronous polling loop in processAdcsCertificateIssuance can block the daily renewal batch job for up to 5 minutes per ADCS CA, but this matches the existing Venafi behavior. Error handling correctly updates renewal status on failure.
backend/src/server/routes/v1/certificate-authority-routers/internal-certificate-authority-router.ts Adds the POST /:caId/install-certificate-adcs endpoint with correct rate limiting, authentication, Zod validation, audit logging (INSTALL_CA_CERT_ADCS), and 202 async response. Correctly uses CERTIFICATE_AUTHORITIES.INSTALL_CERT_ADCS.caId description.
frontend/src/pages/cert-manager/CertAuthDetailsByIDPage/components/CaSigningConfigSection.tsx ADCS edit modal's adcsEditSchema (lines 90-94) is missing the validityPeriod format regex (^\d+d$) present in the install form, allowing invalid formats to pass client-side validation. The helper text on line 376 also references "1y" as an example, which is rejected by the backend.
frontend/src/pages/cert-manager/CertificateAuthoritiesPage/components/CaInstallCertModal/AdcsCaInstallForm.tsx Install form for ADCS certificates. Uses native JS regex /^\d+d$/ in the Zod schema (line 35) instead of an RE2 instance per project conventions. Logic for create-vs-update and queuing install is correct.

Last reviewed commit: 2410278

greptile-apps[bot]
greptile-apps bot reviewed Mar 17, 2026
View reviewed changes
@saifsmailbox98
Copy link
Copy Markdown
Contributor Author

saifsmailbox98 commented Mar 17, 2026

@greptile review this PR

@saifsmailbox98
Copy link
Copy Markdown
Contributor Author

saifsmailbox98 commented Mar 17, 2026

@greptile review this PR again based on my responses to your comments

@saifsmailbox98
Copy link
Copy Markdown
Contributor Author

saifsmailbox98 commented Mar 17, 2026

@greptile review this PR based on my previous responses

@saifsmailbox98
Copy link
Copy Markdown
Contributor Author

saifsmailbox98 commented Mar 17, 2026

@greptile review this PR based on my previous responses

carlosmonastyrski
carlosmonastyrski requested changes Mar 19, 2026
View reviewed changes
@saifsmailbox98 saifsmailbox98 merged commit 61a3b4a into main Mar 20, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlosmonastyrski carlosmonastyrski carlosmonastyrski approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@saifsmailbox98 @maidul98 @carlosmonastyrski