mgr/cephadm: fixing generate_cert to pick the right root subject

This cherry-picked change:
   Ensures upgrade safety by reusing the subject from the already-loaded root
   certificate instead of hardcoding a new one.
   (commit 918d0ac)

Signed-off-by: Redouane Kachach <[email protected]>
Signed-off-by: Kushal Deb <[email protected]>

Author: rkachach

src/pybind/mgr/cephadm/ssl_cert_utils.py

@@ -197,11 +197,8 @@ def generate_cert(
         public_key = private_key.public_key()
 
         builder = x509.CertificateBuilder()
-        root_ca_name = x509.Name([
-            x509.NameAttribute(NameOID.COMMON_NAME, f'cephadm-root-{self.cluster_fsid}'),
-        ])
         builder = builder.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, addrs[0]), ]))
-        builder = builder.issuer_name(root_ca_name)
+        builder = builder.issuer_name(self.get_root_issuer_name())
         builder = builder.not_valid_before(datetime.now())
         builder = builder.not_valid_after(datetime.now() + timedelta(days=self.certificate_duration_days))
         builder = builder.serial_number(x509.random_serial_number())
@@ -298,6 +295,11 @@ def get_root_cert(self) -> str:
         except AttributeError:
             return ''
 
+    def get_root_issuer_name(self) -> x509.Name:
+        if not self.root_cert:
+            raise SSLConfigException("Root certificate not initialized.")
+        return self.root_cert.subject
+
     def get_root_key(self) -> str:
         try:
             return self.root_key.private_bytes(