3.11.5.1 End-user X509 Certificate Success Processing

If the client obtains a certificate of the end-user then the client SHOULD validate the X509 certificate [RFC4158] based on the CurrentEndpointConfiguration.CertificateValidation.

  • If the CurrentEndpointConfiguration.CertificateValidation value is 0 ("None") then no validation SHOULD be performed.

  • If the CurrentEndpointConfiguration.CertificateValidation value is 1 ("Ssl") then the whole chain validation [RFC4158] of the certificate SHOULD be performed.

  • If the CurrentEndpointConfiguration.CertificateValidation value is 2 ("IssuedByDrs") then the client SHOULD validate that the end-user certificate was issued by one of ServiceConfiguration.DeviceCertificateIssuers.

If the validation of the end-user certificate was successful, or if the validation of the end-user certificate failed and the CurrentEndpointConfiguration.CertificateValidation value is 1, the following processing occurs:

  • The client MUST construct a request as in section 3.10.5.1.

  • If the validation of the end-user certificate was successful, then the [Serialized Request with Certificate].SerializedClientCertificate MUST be set to the base64 string encoded ([RFC4648] section 4) X509 certificate [RFC4158]. Otherwise, the [Serialized Request with Certificate].ErrorType SHOULD be set to 1 ("Certificate") and the [Serialized Request with Certificate].ErrorCode SHOULD be set to the error value that was encountered while validating the end-user certificate.<13>

  • The client then performs the common processing defined in section 3.11.5.2.

If the validation of the end-user certificate failed and the CurrentEndpointConfiguration.CertificateValidation value is 2, the client SHOULD replay the request as defined in section 3.11.5 step 6.