Rejecting certificate requests without Challenge Password in OpenXPKI CA
  1. guides
  2. en
  3. Administrator's Guide
  4. Managing certificates
  5. Managing certificates using OpenXPKI Certificate Authority through SCEP
  6. Rejecting certificate requests without Challenge Password in OpenXPKI CA

Rejecting certificate requests without Challenge Password in OpenXPKI CA

By default, OpenXPKI accepts requests without checking the challenge password. The certificate request is not rejected, and the CA and CA administrator determine whether to approve or reject the request. To avoid potential security concerns, disable this feature so that any certificate requests that contain invalid passwords are rejected immediately. In MVE, Challenge Password is required only when generating the enrollment agent certificate.
  1. In
    etc/openxpki/config.d/realm/REALM NAME/scep/generic.yaml
    , from the
    policy
     section, change the value of
    allow_man_authen
     from
    1
     to
    0
    .
    • REALM NAME is the name of the realm. For example,
      ca‑one
      .
    • Review the space and indentation in the script file.
  2. Restart the OpenXPKI service using
    openxpkictl restart
    .

This site uses cookies for various purposes including enhancing your experience, analytics, and ads. By continuing to browse this site or by clicking "Accept and close", you agree to our use of cookies. For more information, read our Cookies page.