Hi,
> 5- I do get authenticated through basic auth AND through the certificates i'm > passing to cURL. > But I keep getting back the same certificate. > No workflow is triggered. > And in EST.log > >>>> INF authenticated client DN: CN=same cn,DC=Test > >>>> Deployment,DC=OpenXPKI,DC=org [pid=91|ep=[undef]] > > 6- I thought it was my authentication stack causing the issue (using http > basic), so I reversed it back to the default (anonymous), and I still don't > get the renawal mode, just fetching the same certificate. When receiving an enrollment request via any of its enrollment interfaces OpenXPKI distinguishes initial enrollment, renewal and enrollment on behalf mode and branches into the respective branch of the enrollment workflow. You can see which path is chosen by examining the enrollment workflow instance and its context. If you send the same CSR (based on the same private key) to an enrollment interface, you will get back the existing certificate if the enrollment workflow for this key was previously successfully executed. If you wish to perform a renewal, you need to generate a new private key and a new certificate request based on that new key. In order to qualify as a renewal from the viewpoint of OpenXPKI, the renewal request must be authenticated by the old, existing certificate and key (and the subject must match). In your example this means that you would have to call curl with certificate and key option pointing to the old certificate. Also, the existing certificate validity is considered by the enrollment workflow. Depending on configuration, the request may only be accepted if a certain remaining validity of the existing certificate is not exceeded. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users