Hi, > We have a new openxpki system running. I cat request and approve a new > certificate. But I see no option for renewing a certificate. Is SCEP the only > way to renew?
The stock workflows shipped with the Community Edition do not distinguish between an initial manual certificate request and a certificate renewal. A manual certificate renewal looks exactly like the initial certificate request and must be processed in the same way. However, the system implicitly tracks the underlying end entity by applying a (configurable) unique subject policy. During the manual request process, an indication is provided to the Registrations Officer which links to possibly existing certificates for the same subject, allowing to apply ample scrutiny on the request. Certificate renewal for the automated interfaces EST, SCEP, RPC will issue exactly the same certificate that was initially requested (with updated validity and public key), regardless of the details in the certificate request. Unique subject constraints are enforced for automatic enrollments, and the system can be configured to either reject renewal requests outside the designated renewal window (e. g. 60 days before expiration) or to change into a "replacement" mode which is very similar to a certificate renewal (but outside the renewal window) but results in a replacement certificate with the SAME validity as the existing certificate. In addition the system can automatically create revocation request for the existing certificate scheduled for automatic execution in the future (effectively revoking the existing certificate after a grace period). A manual renewal workflow which can act on an existing certificate is not shipped with the OpenXPKI Community Edition. If you require such a workflow, this is possible with the Enterprise Edition. In this case please get in touch with White Rabbit Security GmbH. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
