nordic-institute · MarcDavid155 · Dec 8, 2025 · Dec 2, 2025 · Dec 4, 2025 · raits
@@ -159,6 +159,7 @@ X-XSRF-TOKEN: {{cs_xsrf_token}}
 [MultipartFormData]
 certificate_profile_info: ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider
 tls_auth: false
+default_csr_format: DER
 acme_server_directory_url: http://{{ca_host}}:8887
 certificate: file,ca/ca.pem;
 

@@ -111,9 +111,7 @@ public CertificationService add(ApprovedCertificationService certificationServic
         final var approvedCaEntity = new ApprovedCaEntity();
         approvedCaEntity.setCertProfileInfo(certificationService.getCertificateProfileInfo());
         approvedCaEntity.setAuthenticationOnly(certificationService.getTlsAuth());
-        if (certificationService.getDefaultCsrFormat() != null) {
-            approvedCaEntity.setDefaultCsrFormat(certificationService.getDefaultCsrFormat().name());
-        }
+        approvedCaEntity.setDefaultCsrFormat(certificationService.getDefaultCsrFormat().name());
         X509Certificate certificate = handledCertificationChainRead(certificationService.getCertificate());
         approvedCaEntity.setName(CertUtils.getSubjectCommonName(certificate));
         approvedCaEntity.setAcmeServerDirectoryUrl(certificationService.getAcmeServerDirectoryUrl());

@@ -87,24 +87,21 @@ public class CertificationServicesController implements CertificationServicesApi
     @PreAuthorize("hasAuthority('ADD_APPROVED_CA')")
     @AuditEventMethod(event = ADD_CERTIFICATION_SERVICE)
     public ResponseEntity<ApprovedCertificationServiceDto> addCertificationService(MultipartFile certificate,
+                                                                                   CsrFormatDto defaultCsrFormat,
                                                                                    String certificateProfileInfo,
                                                                                    String tlsAuth,
-                                                                                   CsrFormatDto defaultCsrFormat,
                                                                                    String acmeServerDirectoryUrl,
                                                                                    String acmeServerIpAddress,
                                                                                    String authenticationCertificateProfileId,
                                                                                    String signingCertificateProfileId) {
         var isForTlsAuth = parseBoolean(tlsAuth);
-        CsrFormat csrFormat = defaultCsrFormat != null
-                ? CsrFormat.valueOf(defaultCsrFormat.name())
-                : CsrFormat.DER;
         byte[] fileBytes = MultipartFileUtils.readBytes(certificate);
         fileVerifier.validateCertificate(certificate.getOriginalFilename(), fileBytes);
         var approvedCa = new ApprovedCertificationService(
                 fileBytes,
                 certificateProfileInfo,
                 isForTlsAuth,
-                csrFormat,
+                CsrFormat.valueOf(defaultCsrFormat.name()),
                 acmeServerDirectoryUrl,
                 acmeServerIpAddress,
                 authenticationCertificateProfileId,

@@ -36,6 +36,7 @@
     <include file="centerui/202504241111-security-server-maintenance-mode.xml" relativeToChangelogFile="true"/>
     <include file="centerui/202510141700-tsa-ocsp-cost-type.xml" relativeToChangelogFile="true"/>
     <include file="centerui/202511031700-ca-csr-format.xml" relativeToChangelogFile="true"/>
+    <include file="centerui/202511271200-ca-csr-nullable.xml" relativeToChangelogFile="true"/>
 
     <!-- must be the last one -->
     <changeSet id="separate-admin-user" author="niis" context="admin" runAlways="true" runOnChange="true" runOrder="last">

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd"
+                   logicalFilePath="centerui/202511271200-ca-csr-nullable.xml">
+
+    <changeSet author="marc.david" id="202511271200-ca-csr-nullable">
+        <comment>Make default_csr_format nullable and remove default value.</comment>
+
+        <dropDefaultValue
+            tableName="approved_cas"
+            columnName="default_csr_format"
+            columnDataType="VARCHAR(255)"/>
+
+        <dropNotNullConstraint
+            tableName="approved_cas"
+            columnName="default_csr_format"
+            columnDataType="VARCHAR(255)"/>
+
+        <update tableName="approved_cas">
+            <column name="default_csr_format" valueComputed="NULL"/>
+        </update>
+    </changeSet>
+
+</databaseChangeLog>
@@ -33,6 +33,7 @@
 import org.niis.xroad.cs.openapi.model.ApprovedCertificationServiceDto;
 import org.niis.xroad.cs.openapi.model.CertificationServiceSettingsDto;
 import org.niis.xroad.cs.openapi.model.CostTypeDto;
+import org.niis.xroad.cs.openapi.model.CsrFormatDto;
 import org.niis.xroad.cs.openapi.model.OcspResponderDto;
 import org.niis.xroad.cs.test.api.FeignCertificationServicesApi;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -177,13 +178,35 @@ public void createCertificationService() throws Exception {
                 "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider");
     }
 
+    @Step("Certification service with certificateProfileInfo {string} and no default csr format is created")
+    public void createCertificationServiceWithoutCsrFormat(String certificateProfileInfo) throws Exception {
+        MultipartFile certificate = new MockMultipartFile("certificate", "certificate.cer", null, generateAuthCert("CN=" + "Subject"));
+
+        try {
+            final ResponseEntity<ApprovedCertificationServiceDto> result = certificationServicesApi
+                    .addCertificationService(certificate, null, certificateProfileInfo, null, null, null, null, null);
+
+            validate(result)
+                    .assertion(equalsStatusCodeAssertion(CREATED))
+                    .assertion(notNullAssertion("body.id"))
+                    .execute();
+
+            putStepData(CERTIFICATION_SERVICE_ID, result.getBody().getId());
+            putStepData(RESPONSE, result);
+            putStepData(RESPONSE_STATUS, result.getStatusCode().value());
+        } catch (FeignException feignException) {
+            putStepData(RESPONSE_STATUS, feignException.status());
+            putStepData(ERROR_RESPONSE_BODY, feignException.contentUTF8());
+        }
+    }
+
     @Step("Certification service with name {string} and certificateProfileInfo {string} is created")
     public void createCertificationService(String name, String certificateProfileInfo) throws Exception {
         MultipartFile certificate = new MockMultipartFile("certificate", "certificate.cer", null, generateAuthCert("CN=" + name));
 
         try {
             final ResponseEntity<ApprovedCertificationServiceDto> result = certificationServicesApi
-                    .addCertificationService(certificate, certificateProfileInfo, null, null, null, null, null, null);
+                    .addCertificationService(certificate, CsrFormatDto.DER, certificateProfileInfo, null, null, null, null, null);
 
             validate(result)
                     .assertion(equalsStatusCodeAssertion(CREATED))
@@ -204,7 +227,8 @@ public void createCertificationService(Integer id, String tlsAuth, String certif
         try {
             var request = new CertificationServiceSettingsDto()
                     .tlsAuth(tlsAuth)
-                    .certificateProfileInfo(certificateProfileInfo);
+                    .certificateProfileInfo(certificateProfileInfo)
+                    .defaultCsrFormat(CsrFormatDto.DER);
 
             final ResponseEntity<ApprovedCertificationServiceDto> result = certificationServicesApi
                     .updateCertificationService(id, request);

@@ -52,6 +52,11 @@ Feature: Certification services API
     When Certification service with id 1 is updated with tlsAuth true and certificateProfileInfo "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"
     Then Returned certification service has id 1, tlsAuth true and certificateProfileInfo "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"
 
+  Scenario: Certification Service is created and fails due to missing default_csr_format field
+    Given Authentication header is set to SYSTEM_ADMINISTRATOR
+    And Certification service with certificateProfileInfo "ee.ria.xroad.common.certificateprofile.impl.BasicCertificateProfileInfoProvider" and no default csr format is created
+    Then Response is of status code 400
+
   @Modifying
   Scenario Outline: Certification Service update failed
     Given Authentication header is set to SYSTEM_ADMINISTRATOR

@@ -3547,6 +3547,9 @@ components:
         - $ref: '#/components/schemas/CertificationServiceSettings'
       description: certification service file and settings
       type: object
+      required:
+        - certificate
+        - default_csr_format
     CertificationServiceSettings:
       description: certification service settings
       properties: