SOAP Server

The builtin SOAP Server provides methods to revoke certificates. The service is implemented using a cgi-wrapper script, so there is no need for the webserver to support SOAP, you just need to setup the wrapper script. For apache, just add a ScriptAlias:

ScriptAlias /soap  /usr/lib/cgi-bin/soap.fcgi

Wrapper Configuration

The default wrapper looks for its config file at /etc/openxpki/scep/default.conf. The config uses plain ini format, a default is deployed by the package:

log_config = /etc/openxpki/soap/log.conf
log_facility = client.soap
socket = /var/openxpki/openxpki.socket
modules = OpenXPKI::SOAP::Revoke OpenXPKI::SOAP::Smartcard

stack = _System
pki_realm = ca-one

workflow = certificate_revocation_request_v2
servername = signed-revoke

workflow = sc_revoke
servername = smartcard-revoke

Endpoint Configuration

Based on the given servername, a rules file is loaded for the server. You can define the rules for the signer authorization here:

        subject: CN=.+:soapclient,.*
        subject: CN=.+:pkiclient,.*

SOAP Methods

The default interface exposes two methods. The reason code is optional in both calls and defaults to “unspecified”. Allowed values are the reason codes as used by openssl.


This expects the full DN of the certificate issuer and the serial number of the certificate to revoke. The serial can be either in decimal or hexadecimal format prefixed with ‘0x’:



Expects the OpenXPKI identifier of the certificate:


Both calls return a hash with id and state of the started workflow:

  'id' => '145919',
  'state' => 'PENDING',
  'error' => ''

If anything goes wrong, you get a verbose error message in error:

  'error' => 'parameter missing'

Multiple Endpoints