Rejecting certificate requests without Challenge Password in OpenXPKI CA

By default, OpenXPKI accepts requests without checking the challenge password. The certificate request is not rejected, and the CA and CA administrator determine whether to approve or reject the request. To avoid potential security concerns, disable this feature so that any certificate requests that contain invalid passwords are rejected immediately. In MVE, Challenge Password is required only when generating the enrollment agent certificate.

  1. In etc/openxpki/config.d/realm/REALM NAME/scep/generic.yaml, from the policy section, change the value of allow_man_authen from 1 to 0.
    Notes:
    • REALM NAME is the name of the realm. For example, ca‑one.
    • Review the space and indentation in the script file.
  2. Restart the OpenXPKI service using openxpkictl restart.