Hi Chandra,
looks good to me - but as you have v2.5 I do not know exactly what
workflow definition you have in place so no idea, as said upgrade to v3
and current workflows.
Oliver
On 07.11.22 14:05, Chandramauli De via OpenXPKI-users wrote:
Hi Oliver,
Thanks for the information. It goes into PENDING. Here is the policy
section:
policy:
# Authentication Options
# Initial requests need ONE authentication.
# Activate Challenge Password and/or HMAC by setting the appropriate
# options below.
# if set requests can be authenticated by an operator
allow_man_authen: 0
# if set, no authentication is required at all and hmac/challenge is
# not evaluated even if it is set/present in the request!
allow_anon_enroll: 0
# Approval
# If not autoapproved, allow opeerator to add approval by hand
allow_man_approv: 1
# if the eligibiliyt check failed the first time
# show a button to run a recheck (Workflow goes to PENDING)
allow_eligibility_recheck: 0
# Approval points requirede (eligibity and operator count as one
point each)
# if you set this to "0", all authenticated requests are
auto-approved!
approval_points: 1
# The number of active certs with the same subject that are allowed
# to exist at the same time, deducted by one if a renewal is seen
# set to 0 if you dont want to check for duplicates at all
max_active_certs: 0
# option will be removed
# allow_expired_signer: 0
# If an initial enrollment is seen
# all existing certificates with the same subject are revoked
auto_revoke_existing_certs: 1
# allows a "renewal" outside the renewal window, the
notafter date
# is aligned to the old certificate. Set revoke_on_replace option
# to revoke the replaced certificate.
# This substitutes the "replace_window" from the OpenXPKI v1 config
allow_replace: 1
Thanks & Regards,
Chandra
*Chandramauli De*
QA, Fleet management
STL, ISS
http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png
<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com
*From:* Oliver Welter <[email protected]>
*Sent:* Sunday, November 6, 2022 3:47 PM
*To:* [email protected]
*Subject:* Re: [OpenXPKI-users] Need help to make openxpki scep 2.5.5
work in auto approval mode
Hi Chandra,
the approval looks fines but your policy section is missing so I can
not tell you where it hangs - does it go into "PENDING" or is it stuck
in "MANUAL AUTHENTICATION"? You are likely missing the
"authentication" step - check the docs for the enrollment workflow.
Besides you should upgrade to 3.x - the 2.5 branch is no longer
mainteined.
Oliver
On 03.11.22 11:50, Chandramauli De via OpenXPKI-users wrote:
Hello everyone,
Pl find below the content (excerpt) of the generic.yaml of the
openxpki scep 2.5.5. *I want to make openxpki work in
auto-approval mode*. Currently it’s going for manual approval. Can
u pl help me what’s going wrong here:
profile:
cert_profile: I18N_OPENXPKI_PROFILE_TLS_SERVER
cert_subject_style: enroll
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: I18N_OPENXPKI_PROFILE_TLS_CLIENT
# HMAC based authentication
hmac: verysecret
challenge:
value: SecretChallenge
eligible:
initial:
value: 1
# value@: connector:scep.scep-server-1.connector.initial
# args: '[% context.cert_subject_parts.CN.0 %]'
# expect:
# - Build
# - New
renewal:
value: 1
connector:
initial:
class: Connector::Proxy::YAML
# this file must have a key/value list with the key being
# the subject and the value being a true value
# e.g. "pc1234.example.org: 1"
LOCATION: /home/pkiadm/cmdb.yaml
Thanks & Regards,
Chandra
*Chandramauli De*
QA, Fleet management
STL, ISS
http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png
<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com <http://www.lexmark.com>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
