Hello Dirk, if you do not care on "in progress" workflows you can remove the whole "workflow" check as there is also a check based on issued certificates - and no there is no risk to break things besides getting a key certified twice.
The other option would be to just add another action to "override" the policy block to the state you have quoted (global_noop2 > ENTER_SUBJECT). Oliver Am 28.05.19 um 11:31 schrieb Dirk Heuvels: > Hi all, > > from time to time our RA operators fail a cert-request workflow, for > example by pressing the "back" button in the Browser, where they > shouldn't do so. > > If it is for a customer generated CSR, I would like to start a new > request with the same publickey/CSR, because I don't want to tell the > customer, that we screwed up hist request. However I'm getting > KEY_DUPLICATE_ERROR, when I do so. We using OpenXPKI 2.0.3-0 with pretty > much the standard workflows of "ca-one". > > I suppose here is one of the possible places, where I can get around the > problem: > > workflow/def/certificate_signing_request_v2.yaml > KEY_DUPLICATE_ERROR_WORKFLOW: > label: > I18N_OPENXPKI_UI_WORKFLOW_STATE_KEY_DUPLICATE_ERROR_WORKFLOW_LABEL > description: > I18N_OPENXPKI_UI_WORKFLOW_STATE_KEY_DUPLICATE_ERROR_WORKFLOW_DESC > action: > - upload_pkcs10 > CHECK_FOR_DUPLICATE_KEY > - global_noop > CHECK_FOR_DUPLICATE_KEY > - global_cancel > CLEANUP_BEFORE_CANCEL > > The preferred behavior would be that CHECK_FOR_DUPLICATE_KEY only fails > if the key is not found in a successful workflow. > If that is not possible, is there a risk of breaking things, if I simply > remove the check from the workflow? If it only results in the > (theoretical) possibility to craft certificates for the same key, I can > live with it. > > Cheers, > Dirk > > > Mit freundlichen Grüßen, > Dirk Heuvels > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
