For automatic certificate requests, we are using the Signer on Behalf certificate feature of OpenXPKI.
Stop the OpenXPKI service using openxpkictl stop.
In nano /etc/openxpki/config.d/realm/ca-one/scep/generic.yaml, from the authorized_signer: section, add a rule for the subject name of the signer certificate.
rule1:
# Full DN
subject: CN=Markvision_.*
Notes:
- In this rule, any certificate CN starting with Markvision_ is the Signer on Behalf certificate.
- The subject name is set in MVE for generating the Signer on Behalf certificate.
- Review the space and indention in the script file.
- If the CN is changed in MVE, then add the updated CN in OpenXPKI.
- You can specify only one certificate as Signer on Behalf, and then specify the full CN.
Save the file.
Start the OpenXPKI service using openxpkictl start.