3.1.4.1.1.4.2 Certificate Processing
The server MUST maintain a list of at least one X.509 certificate that is used for signing security tokens. For each of the X.509 certificates, the server MUST maintain a SHA-1 hash of the certificate.
When responding to a GetFsInformation request, the server MUST place each of the X.509 certificate hashes into an X509Thumbprint element as described in section 3.1.4.1.1.3.5. The hash data MUST be represented as a sequence of sets of two hexadecimal digit characters. There MUST NOT be any spaces between the characters.
When responding to a GetFsInformation request, the server MUST place each of the maintained X.509 certificates into the data structure described in section 3.1.4.1.1.3.6. In addition, the server MUST put all of the X.509 certificates that are in the issuance path of the X.509 certificates used for signing security tokens into the data structure described in section 3.1.4.1.1.3.6. [X509] discusses how to determine the other X.509 certificates that are in the issuance path of given X.509 certificate.
The server MUST maintain a configured method for checking revocation on the X.509 certificates as described in section 3.2.4.1.2.2. The method MUST be included in the response RevocationFlags element, as detailed in section 3.1.4.1.1.3.