Hi Oliver, Thank you very much for your detailed response. I am able to revoked certificate by setting preset_flag_auto_approval. One more query, I also modify the eligible section in enroll.yaml file based on one of the thread as below. eligible: initial: #value@: connector:rpc.enroll.connector.intranet #args: '[% context.cert_subject_parts.CN.0 %]' value: 1 renewal: value: 1 onbehalf: value: 1
For auto enrollment/renewal, do I need to change the eligible section like above if HTTPS/HTTP?. Can you please throw some more light on this?. Thanks in advance. Regards,Mukilan On Friday, 11 November, 2022 at 09:20:13 am GMT+1, Oliver Welter <[email protected]> wrote: Hi Mukilan, the workflow is intended to be used with TLS Client Auth and the "approval" is then done based on the evaluation of the "authorized_signer" part as it is documented for the enrollment workflow. As the workflow has an "autoapproval" flag that is usually set when this is run internally, you can use the "preset*" magic to set this, in /etc/openxpki/rpc/enroll.conf append the last line as follows: [RevokeCertificate] workflow = certificate_revocation_request_v2 param = cert_identifier, reason_code, comment, invalidity_time env = signer_cert, server output = error_code preset_flag_auto_approval = 1 This will set the parameter "flag_auto_approval" to the value of one for every incoming call on this endpoint, you should obviously make sure that nobody can access this endpoint address without proper authentication or otherwise anybody with network access can revoke certificates which is very likely not what you want. Oliver On 10.11.22 09:57, Mukilan P via OpenXPKI-users wrote: Thank you very much Oliver. I have gone through your reply. I need some clarity on your reply. Can you please share sample enroll.yaml to enable auto approval of Revocation or the configuration properties to make auto approval for revocation. I am using plain HTTP for testing purpose. Regards, Mukilan On Wednesday, 9 November, 2022 at 09:35:26 am GMT+1, Oliver Welter <[email protected]> wrote: https://sourceforge.net/p/openxpki/mailman/message/37670844/ On 07.11.22 22:40, Mukilan P via OpenXPKI-users wrote: Hi Experts, Can you please provide sample workflow to skip authentication/authorization for auto approval of revocation?. I tried with the following sample config in /rpc/enroll.yml, but it is not working out. policy: # Authentication Options # Initial requests need ONE authentication. # Activate Challenge Password and/or HMAC by setting the appropriate # options below. # if set requests can be authenticated by an operator allow_man_authen: 0 # if set, no authentication is required at all and hmac/challenge is # not evaluated even if it is set/present in the request! allow_anon_enroll: 1 # Approval # If not autoapproved, allow opeerator to add approval by hand allow_man_approv: 0 # if the eligibiliyt check failed the first time # show a button to run a recheck (Workflow goes to PENDING) allow_eligibility_recheck: 0 # Approval points requirede (eligibity and operator count as one point each) # if you set this to "0", all authenticated requests are auto-approved! approval_points: 0 Regards, Mukilan _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
