Certificates appear to use ORGANIZATION_NAME as 'issuer'

[explody]

Possibly related to #1645 in that, if source import accepted these missing fields, it may be implicitly fixed. Regardless, the 'issuer' column is set to, and remains, the org name even after update

While looking at how certificate data is initially wrong upon import from a source, we noticed that the 'issuer' field in the DB is set to a slugified string value of the cert's x509 ORGANIZATION_NAME CN.

In the UI, prior to the next sync job running, and while the cert data is incomplete, this renders the "Issuer" column as that org name slug.

After a sync job runs, authority_id is updated and the UI now displays the issuer name (i.e. a sub-CA CN) rather than the org name. We presume this is related to authority_id because this is what the DB looks like at the two different stages:

After import from source, before sync runs, UI displaying the org name as issuer

lemur_prod=# select name,issuer,external_id,authority_id from certificates where name like 'C%';
                       name                        |       issuer       | external_id | authority_id
---------------------------------------------------+--------------------+-------------+--------------
 CertCN-OrgName-20180823-20190823                  | OrgName            |             |
 CertCN-OrgName-20190828-20190823                  | OrgName            |             |
 CertCN-OrgName-20180828-20190828                  | OrgName            |             |
 CertCN-OrgName-20180829-20190829                  | OrgName            |             |

After the sync job runs, fields are updated, and with authority_id set, the UI displays the correct issuer name

lemur_prod=# select name,issuer,external_id,authority_id from certificates where name like 'C%';
                       name                        |       issuer       |     external_id     | authority_id
---------------------------------------------------+--------------------+---------------------+--------------
  CertCN-OrgName-20180823-20190823                 | OrgName            | XXXXXXXXXXXXXXXXX   |            4
  CertCN-OrgName-20180828-20190828                 | OrgName            | XXXXXXXXXXXXXXXXX   |            4
  CertCN-OrgName-20180829-20190829                 | OrgName            | XXXXXXXXXXXXXXXXX   |            4
  CertCN-OrgName-20180828-20190828                 | OrgName            | XXXXXXXXXXXXXXXXX   |            4

This seems to come from here, where the org name is preferred over the issuer CN:

lemur/lemur/common/defaults.py

Line 235 in acd4736

issuer = (cert.issuer.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME)

The expected behavior is that the issuer column would contain the issuer CN rather than the org name.

[castrapel]

This should also be fixed in #1691 but note the issuer name is taken directly from the certificate, so it may differ from the authority name as defined in Lemur.

[explody]

Hey, danger on this one. I was going to provide an alembic migration that updated existing certs to use the issuer name rather than org name but after talking to @kevgliss about naming/cert uniqueness, I'm concerned that this might break the AWS plugin.

Generally, because cert names from AWS have at least some association to the ARN, and specifically because in sync_endpoints, the AWS API calls return cert data that only include the ARN, from which the certificate name is derived like this

lemur/lemur/plugins/lemur_aws/plugin.py

Line 104 in 3185272

certificate_name=iam.get_name_from_arn(listener['Listener']['SSLCertificateId'])

Then searched for by name here

lemur/lemur/sources/service.py

Lines 77 to 79 in 3185272

	certificate_name = endpoint.pop('certificate_name')
	endpoint['certificate'] = certificate_service.get_by_name(certificate_name)

If imported or lemur-created certs are created with the "proper" issuer name in the cert name, will this cease to match the name that is derived from the ARN? We don't have an AWS instance set up to test this with...