renewal:
  notbefore: 000014
  notafter: 0

revoke_on_replace:
  reason_code: keyCompromise
  delay_revocation_time: +000014


workflow:
  type: certificate_enroll
  param:
    transaction_id: transaction_id
    signer_cert: signer_cert
    pkcs10: pkcs10
    _url_params: url_params

key_size:
  rsaEncryption: 1020-4096

hash_type:
  - sha1
  - sha256
  - sha512

authorized_signer:
  rule1:
    subject: CN=.+:scepclient,.*
  rule2:
    subject: CN=.+:pkiclient,.*

policy:
  allow_man_authen: 1
  allow_anon_enroll: 0
  allow_man_approv: 1
  allow_eligibility_recheck: 0
  approval_points: 1
  max_active_certs: 1
  allow_expired_signer: 0
  auto_revoke_existing_certs: 1
  allow_replace: 1

response:
  getcacert_strip_root: 1

profile:
  cert_profile: {{ item.0.scep.profile }}
  cert_subject_style: enroll

profile_map:
  pc-client: I18N_OPENXPKI_PROFILE_USER_AUTHENTICATION

hmac: "{{ item.0.scep.hmac | default(pki_scep_hmac) }}"

challenge:
  value: "{{ item.0.scep.challenge | default(pki_scep_challenge) }}"

eligible:
  renewal:
   value: 1