SOAP Server

The builtin SOAP Server provides methods to revoke certificates. The service is implemented using a cgi-wrapper script, so there is no need for the webserver to support SOAP, you just need to setup the wrapper script. For apache, just add a ScriptAlias:

ScriptAlias /soap  /usr/lib/cgi-bin/soap.fcgi

Wrapper Configuration

The default wrapper looks for its config file at /etc/openxpki/scep/default.conf. The config uses plain ini format, a default is deployed by the package:

socket = /var/openxpki/openxpki.socket
modules = OpenXPKI::SOAP::Revoke OpenXPKI::SOAP::Smartcard

log_level = WARN

stack = _System

workflow = certificate_revocation_request_v2
servername = signed-revoke

workflow = sc_revoke
servername = smartcard-revoke

The global/auth parameters are described in the common wrapper documentation (Wrapper Configuration). Config path extension is supported.

The modules key must list the class names of all modules that should be exposed. Most modules expect some extra configuration. Put your parameters into a section with the name of the module, those will be passed to the module when initialized.

Endpoint Configuration

Based on the given servername, a rules file is loaded for the server. You can define the rules for the signer authorization here:

        subject: CN=.+:soapclient,.*
        subject: CN=.+:pkiclient,.*

SOAP Methods

The default interface exposes two methods. The reason code is optional in both calls and defaults to “unspecified”. Allowed values are the reason codes as used by openssl.


This expects the full DN of the certificate issuer and the serial number of the certificate to revoke. The serial can be either in decimal or hexadecimal format prefixed with ‘0x’:



Expects the OpenXPKI identifier of the certificate:


Both calls return a hash with id and state of the started workflow:

  'id' => '145919',
  'state' => 'PENDING',
  'error' => ''

If anything goes wrong, you get a verbose error message in error:

  'error' => 'parameter missing'