Thanks for your response. I was more looking for a server side configuration to enable it like Microsoft CA has got. It seems there is no configuration and one has to trigger approval separately. Probably doing via RestAPI is more quick hence I saw this: https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API

I am able to make calls to get a certificate i.e. https://192.168.56.103:8443/ca/rest/certs/0xd successfully but when I try to approve a pending request I get an error.

If I don't set Content-Type I get Unsupported media type and when I set it to application/xml I get 400 Bad Request with following exception:

javax.xml.bind.JAXBException
- with linked exception:
[java.security.PrivilegedActionException: javax.xml.bind.UnmarshalException
- with linked exception:
[org.xml.sax.SAXParseException; Premature end of file.]]

Do I need to login and pass some token to the approve call as hinted here: https://www.dogtagpki.org/wiki/PKI_REST_API? I am using the admin cert for client auth and testing using Postman which comes as default and hence should be able to approve. Having said, I can trigger approve via CLI command while authenticated by the same admin cert: pki -c Secret.123 -n "PKI Administrator for localhost.localdomain" ca-cert-request-review 40 --action approve

In short I can achieve approval via sending P10 cert request via Java SDK and then approving via CLI but I would prefer the RestFul API approach if possible. Any Hint on why Restful API could be failing?

Regards,

On Thu, Oct 29, 2020 at 3:21 AM Marc Sauton <msauton@redhat.com> wrote:

yes, it works by having SSL client authentication for an "agent" user, or LDAP basic authentication (without or with a pre-defined pin), or CMC:

example for SSL server cert, look at the profile caAgentServerCert.cfg

example for SSL server cert using CMC, see
https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-CMC

for end user cert, examples with caDirPinUserCert.cfg , caDirUserCert.cfg

from the pki command line with LDAP basic authentication , look for the command cert-request-submit with the --username
either
pki cert-request-submit --help
or
pki ca-cert-request-submit --help
see
https://www.dogtagpki.org/wiki/Directory-Authenticated_Profiles

On Wed, Oct 28, 2020 at 2:20 AM Wahaj K <mwahaj3120@gmail.com> wrote:
Hi Guys,

I am new to Dogtag PKI and have installed it on fedora 33. I am able to send a PKCS#10 certificate, approve and then get the issued certificate. I need to know a way to generate the certificate without manual approval hence when PKCS#10 request is sent ,the certificate is generated right away. I have looked at profiles, CA configuration but couldn't see a way. I am using Dogtag 10.9. Is this possible? Any guidance is appreciated.

Regards,
Wahaj
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users