Certificate Assistant Generates it's own private key each time

Isn’t that special? I thought so… drove me crazy until i found a workaround. When the CA generates signed certificate from the CSR, they need to be mindful of whether their Certificate Assistant generates these spurious keys. If it does:

1. Delete the spurious user keys and user certificate from the CA’s default (usually: login) keychain. Note that in some cases there will not be a user certificate, if Certificate Assistant presented the duplicate certificate in keychain error. Be sure to check carefully!
2. If Certificate Assistant made it far enough to create the outgoing email message with the defective certificate, delete this message draft.
3. Re-run the CSR your user sent in, as if you were doing so for the first time.

In my testing, this workaround works 100% of the time: the second time the CSR runs on the CA’s system, the CA’s Certificate Assistant properly signs the user’s certificate and does not make any spurious keys on the CA’s system.

BTW i have seen this happen with Certificate Assistant 2.0/10.5.8 Leopard, CA 3.0/10.6.8 Snow Leopard, and CA 4.4/10.7.5 Lion. I have not yet seen it with CA 5.0/10.8.3 Mountain Lion, though given the intermittent nature of this bug, my confidence is low that it is truly fixed.

I’ve spent the last few years spending waaaaaaay too much time testing and documenting Apple’s OS X and Mail S/MIME implementation, and recently put up web pages with my findings, including this workaround. Hopefully the information will help some folks.

))Sonic((

I'm having the same problem under OS X 10.9 Mavericks. Deleting the spurious certificates and keys does not seem to work, they appear again after resubmitting the CSR.