Hi,
> I followed the quickstart guide to test the scep functionality, but all of my
> requests via scep are in PENDING status and needs manual intervention from
> Operator to approve it via the WEB UI.
As you may have guessed that’s expected behavior ;-)
The enrollment workflow always goes through two phases before it issues a
certificate:
- authentication
- authorization
You can influence (and also disable) these steps in the configuration.
Authentication means that the system knows who is requesting a certificate,
authorization means that someone/something decided that it’s OK to issue a
certificate for this end entity.
You don’t state what you want to achieve, but I assume you need a simple
„immediately issue certificate no questions asked“ behavior.
I also assume you are performing unauthenticated (anonymous) enrollments which
are the default behavior of most SCEP clients (selfsigned request).
To allow cert issuance in this context you need to do the following:
- accept anonymous enrollments
- give implicit approval to incoming requests
Try the following configuration.
* Leave the following block empty (or comment it out):
authorized_signer_on_behalf:
* Include the following block
eligible:
initial:
value: 1
renewal:
value: 1
This essentially answers the „authentication“ and „authorization“ questions
with a static „yes“.
The beauty of the system is that you could offload the decision to an external
data source that answers the questions based on the request data (e. g.
requested subject).
In the „policy" block make sure that approval_points is 1 and allow_anon_enroll
is 1.
Once you have done this, all incoming SCEP requests should be immediately
issued. If this is not the case, the reason might be in the other policy
settings, e. g. the maximum number of valid certs with the same subject. Please
refer to the docs for details:
https://openxpki.readthedocs.org/en/latest/reference/configuration/workflows/scep.html
Cheers
Martin
------------------------------------------------------------------------------
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
