Password hidden after the KUR

[mbarou]

Hello,
We use EJBCA to manage certificates., our application communicates with EJBCA via REST services, and with end entities via the CMP protocol over HTTP.
CMP is configured in client mode, and authentication uses the HMAC method.
We sometimes need to revoke an end entity's certificate and force it to make a new certificate request (IR) using the same password. (Passwords cannot be changed.)
Before an end entity’s certificate expires, the entity performs a KUR, and the password becomes hidden in EJBCA. As a result, if the end entity makes an IR request after the KUR , its request will be rejected due to the hidden password.
In the code, I can see that KUR calls the changeUser method and sets the clearPwd flag to false which explains this behaviour.
Resetting the password manually in EJBCA is not an option.
Is there a way to prevent the KUR from hiding the password ?
We are aware that a password should only be used once, but our workflow requires us to reuse the same password.
The workflow is as follows:
The first time, the application adds the end entity in EJBCA with a password that is hardcoded in the entity, and forces the end entity to submit its initial certificate request (IR).
If needed, a user can revoke the certificate and force the end entity to submit a new certificate request (IR) using the same password.
As the certificate approaches its expiration date, the end entity automatically submits a renewal request (KUR).

Thank you in advance for your replies

[primetomas]

Unfortunately this is an internal process internally generating a random temporary enrollment code for the renewal so it both owerwrites clearPwd and the password itself.