Conditional Access: add renewal marker to generated SCEP profile

[mostlikelee]

Related issue: Resolves #45580

What this PR does

Adds \$FLEET_VAR_CERTIFICATE_RENEWAL_ID to the SCEP payload's Subject OU in the Fleet-generated Conditional Access profile (server/service/conditional_access_idp.go:66-79). With the marker present, auto-renewal activates by default for new Conditional Access deployments.

Why this is needed

Under Decision 2.6, the renewal marker is opt-in — profiles without it work but don't auto-renew. For Conditional Access specifically, Fleet owns both the CA and the profile template, so there's no opt-out use case: every Conditional Access customer wants their cert to auto-renew before the 1-year-and-33-days expiry. Adding the marker to the template means customers get auto-renewal without manually editing the profile they copy out of the UI.

Fleet's Conditional Access SCEP CA mints the cert (ee/server/service/condaccess/config.go:33-62) and preserves Subject OU in issued certs — no external-CA cooperation risk.

Customer impact

• New setups: deploy the profile from the Conditional Access UI; auto-renewal works automatically.
• Existing setups (pre-4.86): re-download and re-deploy the profile once to opt into auto-renewal.

The published Conditional Access guide's "Automatic renewal for this certificate is coming soon" line should be removed once this lands (covered in #44348).

Checklist for submitter

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

Testing

• Added/updated automated tests

Summary by CodeRabbit

• New Features

  • Apple device profiles now include certificate renewal identifiers for improved certificate lifecycle tracking.

• Tests

  • Added validation to verify certificate renewal identifiers are correctly embedded in Apple device profiles.

[mostlikelee]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

This PR adds the Fleet certificate renewal marker ($FLEET_VAR_CERTIFICATE_RENEWAL_ID) as an organizational unit (OU) field in the Subject distinguished name of the Apple Conditional Access SCEP profile template. The template modification enables automatic certificate renewal without requiring customers to manually edit their profiles. A corresponding test assertion verifies the marker is correctly placed in the certificate Subject OU within the generated profile XML.

Possibly related issues

• fleetdm/fleet#44348: Documents requirements for renewal-ID marker in Apple profiles, directly aligned with the template and test changes in this PR.

Possibly related PRs

• fleetdm/fleet#45043: Introduces validation of the CERTIFICATE_RENEWAL_ID marker in certificate Subject CN/OU for Apple ACME/SCEP flows, complementing this PR's embedding of the renewal ID in the profile template.
• fleetdm/fleet#44691: Updates certificate Subject OU handling for the stuck-SCEP recovery matcher, using the same renewal-ID marker pattern added to the profile in this PR.
• fleetdm/fleet#45364: Adds validation that rejects Apple SCEP profiles lacking the renewal marker in the certificate Subject OU, establishing the requirement that this PR fulfills in the generated Conditional Access profile.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description covers the main objective, rationale, and customer impact but is missing documentation updates and end-to-end integration test details mentioned in the acceptance criteria.
Linked Issues check	✅ Passed	The code changes directly implement the primary requirement of adding the renewal marker to the Subject OU in the conditional_access_idp.go template with corresponding test validation.
Out of Scope Changes check	✅ Passed	All code changes are directly scoped to the renewal marker implementation in the Conditional Access SCEP profile template and its tests.
Title check	✅ Passed	The title 'Conditional Access: add renewal marker to generated SCEP profile' directly and accurately describes the main change: adding a renewal marker to the SCEP profile template in the Conditional Access service.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pr-2.3e-conditional-access-marker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (40639-cert-renew@888f0a2). Learn more about missing BASE report.

Additional details and impacted files

@@                 Coverage Diff                 @@
##             40639-cert-renew   #45662   +/-   ##
===================================================
  Coverage                    ?   66.76%           
===================================================
  Files                       ?     2746           
  Lines                       ?   219484           
  Branches                    ?    10831           
===================================================
  Hits                        ?   146539           
  Misses                      ?    59707           
  Partials                    ?    13238           

Flag	Coverage Δ
backend	68.59% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.