Hi Oliver,
Thanks for the information. It goes into PENDING. Here is the policy section:
policy:
# Authentication Options
# Initial requests need ONE authentication.
# Activate Challenge Password and/or HMAC by setting the appropriate
# options below.
# if set requests can be authenticated by an operator
allow_man_authen: 0
# if set, no authentication is required at all and hmac/challenge is
# not evaluated even if it is set/present in the request!
allow_anon_enroll: 0
# Approval
# If not autoapproved, allow opeerator to add approval by hand
allow_man_approv: 1
# if the eligibiliyt check failed the first time
# show a button to run a recheck (Workflow goes to PENDING)
allow_eligibility_recheck: 0
# Approval points requirede (eligibity and operator count as one point each)
# if you set this to "0", all authenticated requests are auto-approved!
approval_points: 1
# The number of active certs with the same subject that are allowed
# to exist at the same time, deducted by one if a renewal is seen
# set to 0 if you dont want to check for duplicates at all
max_active_certs: 0
# option will be removed
# allow_expired_signer: 0
# If an initial enrollment is seen
# all existing certificates with the same subject are revoked
auto_revoke_existing_certs: 1
# allows a "renewal" outside the renewal window, the notafter date
# is aligned to the old certificate. Set revoke_on_replace option
# to revoke the replaced certificate.
# This substitutes the "replace_window" from the OpenXPKI v1 config
allow_replace: 1
Thanks & Regards,
Chandra
Chandramauli De
QA, Fleet management
STL, ISS
[http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png]<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com
[cid:image002.jpg@01D8F2D7.B76D6580]
From: Oliver Welter <m...@oliwel.de>
Sent: Sunday, November 6, 2022 3:47 PM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] Need help to make openxpki scep 2.5.5 work in
auto approval mode
Hi Chandra,
the approval looks fines but your policy section is missing so I can not tell
you where it hangs - does it go into "PENDING" or is it stuck in "MANUAL
AUTHENTICATION"? You are likely missing the "authentication" step - check the
docs for the enrollment workflow.
Besides you should upgrade to 3.x - the 2.5 branch is no longer mainteined.
Oliver
On 03.11.22 11:50, Chandramauli De via OpenXPKI-users wrote:
Hello everyone,
Pl find below the content (excerpt) of the generic.yaml of the openxpki scep
2.5.5. I want to make openxpki work in auto-approval mode. Currently it’s going
for manual approval. Can u pl help me what’s going wrong here:
profile:
cert_profile: I18N_OPENXPKI_PROFILE_TLS_SERVER
cert_subject_style: enroll
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: I18N_OPENXPKI_PROFILE_TLS_CLIENT
# HMAC based authentication
hmac: verysecret
challenge:
value: SecretChallenge
eligible:
initial:
value: 1
# value@: connector:scep.scep-server-1.connector.initial
# args: '[% context.cert_subject_parts.CN.0 %]'
# expect:
# - Build
# - New
renewal:
value: 1
connector:
initial:
class: Connector::Proxy::YAML
# this file must have a key/value list with the key being
# the subject and the value being a true value
# e.g. "pc1234.example.org: 1"
LOCATION: /home/pkiadm/cmdb.yaml
Thanks & Regards,
Chandra
Chandramauli De
QA, Fleet management
STL, ISS
[http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png]<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com<http://www.lexmark.com>
[cid:image002.jpg@01D8F2D7.B76D6580]
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
