Potential bug if the CA has been renewed

[aloeenmae]

When I download the SubCA used for signing client certificates through EJBCA Admin UI and Web RA, which underwent re-key several years ago, its serial number is completely different from what the EJBCA WS returns.

1. Add an End Entity, the data we send to the WebService is as follows:
   <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:editUser xmlns:ns1="http://ws.protocol.core.ejbca.org/"><arg0><caName>My CA</caName><certificateProfileName>testprofile</certificateProfileName><clearPwd>false</clearPwd><email>ejbca@localhost</email><endEntityProfileName>test</endEntityProfileName><endTime>2025-04-05 00:00:00+00:00</endTime><keyRecoverable>false</keyRecoverable><password>somerandompassword</password><sendNotification>false</sendNotification><startTime>2025-04-04 00:00:00+00:00</startTime><status>10</status><subjectAltName/><subjectDN>DC=0,L=Test,ST=Test,C=EE,OU=Test,O=Test Org,CN=Test cert</subjectDN><tokenType>USERGENERATED</tokenType><username>96D6250CA49F5FBEC0E116BF67AB3E6A6F9E509C3F8B4EEABD8EBC78B5371623</username></arg0></ns1:editUser></soapenv:Body></soapenv:Envelope>

2. Perform a PKCS10 Enrollment, the input is currently as follows:
   <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:pkcs10Request xmlns:ns1="http://ws.protocol.core.ejbca.org/"><arg0>96D6250CA49F5FBEC0E116BF67AB3E6A6F9E509C3F8B4EEABD8EBC78B5371623</arg0><arg1>somerandompassword</arg1><arg2>-----BEGIN CERTIFICATE REQUEST-----<DATA_HERE>-----END CERTIFICATE REQUEST-----</arg2><arg4>CERTIFICATE</arg4></ns1:pkcs10Request></soapenv:Body></soapenv:Envelope>

3. Finally request the last certificate chain:
   <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:getLastCertChain xmlns:ns1="http://ws.protocol.core.ejbca.org/"><arg0>96D6250CA49F5FBEC0E116BF67AB3E6A6F9E509C3F8B4EEABD8EBC78B5371623</arg0></ns1:getLastCertChain></soapenv:Body></soapenv:Envelope>

4. In response to the query made in point 3, the CA chain is returned:
   <soap xmlns="[http://schemas.xmlsoap.org/soap/envelope/">](http://schemas.xmlsoap.org/soap/envelope/%22%3E)[soap:Body](javascript:void(0))<ns2 xmlns="[http://ws.protocol.core.ejbca.org/">](http://ws.protocol.core.ejbca.org/%22%3E)<return><type>0</type><certificateData>%%DATA%%</certificateData></return><return><type>0</type><certificateData>%%DATA%%</certificateData></return><return><type>0</type><certificateData>%%DATA%%</certificateData></return><return><type>0</type><certificateData>%%DATA%%</certificateData></return></ns2></soap></soap>

In the getLastCertChainResponse, the SubCA serial number that underwent re-key is something different (probably the serial used before re-key) than the serial on the same SubCA certificate downloaded through the Ejbca Admin UI.

Relevant code seems to be here.
https://github.com/Keyfactor/ejbca-ce/blob/main/modules/ejbca-ejb/src/org/ejbca/core/model/era/RaMasterApiSessionBean.java#L2789

_Originally posted by @aloeenmae in #850