3.5 Example 5: Enrollment with CA Administrator Approval

This example demonstrates the Enroll for a Certificate and Approve Pending Request use cases described in section 2.5.3.1.

This example builds on the example in section 3.3 by introducing a CA administrator who modifies and approves the certificate request before the certificate is issued. One possible context for this scenario is where the certificate that is being requested requires a higher level of scrutiny before it can be issued or requires input from someone other than the requestor.

Initial System State and Prerequisites

This example of certificate enrollment is based on the following additional assumption, in addition to the ones that are described in the example in section 3.3:

Sequence

The sequence of the steps for this example is organized into the following sections:

A. Query for available certificate templates from the Active Directory server

B. Request for a certificate

C. Approve the pending certificate request

D. Get the issued certificate

A. Query for available certificate templates from the Active Directory server

Query for available certificate templates

Figure 19: Query for available certificate templates

  1. Upon startup, the CA-WCCE server requests the certificate template data from the Active Directory server via an LDAP search request as described in [MS-WCCE] section 3.2.2.1.

  2. The Active Directory server processes the request and responds with the certificate template data in the format that is specified in [MS-WCCE] section 3.2.2.1.1.

  3. The CA-WCCE server registers itself with the Active Directory server to receive change notifications, as specified in [MS-ADTS] section 3.1.1.3.4.1.9, when an attribute of a certificate template is being modified to stay up-to-date with any changes and to avoid retrieving the templates for each request.

  4. The WCCE client requests the certificate templates from the Active Directory server via an LDAP search request as described in [MS-WCCE] section 3.2.2.1.

  5. The Active Directory server responds with certificate templates in the format that is specified in [MS-WCCE] section 3.2.2.1.

B. Request for a certificate

Request for a certificate

Figure 20: Request for a certificate

  1. The end entity, by using the WCCE client, creates a PKCS#10 request based on one of the certificate templates and submits it to the CA by calling the Request method specified in [MS-WCCE] section 3.1.2.4.2.

  2. The CA checks the certificate template and because the msPKI-Enrollment-Flag has the CT_FLAG_PEND_ALL_REQUESTS bit set (see [MS-WCCE] section 3.2.2.6.2.1.4.5.6), it records this request in its database and informs the client that the request's status is set to pending (see [MS-WCCE] section 3.2.1.4.2.1).

C. Approve the pending certificate request

Approve the pending certificate request

Figure 21: Approve the pending certificate request

  1. The CA administrator, by using an implementation that has a CSRA client component, queries the CA database to obtain information about pending requests by calling the OpenView method, as specified in [MS-CSRA] section 3.1.4.1.12.

  2. The CA-CSRA server responds with the list of the pending requests.

  3. The CA administrator sends the SetExtension method to add the certificate extension on the pending request which has to be approved from the list returned in step 9.

  4. The CA-CSRA server adds the requested certificate extensions, as specified in [MS-CSRA] section 3.1.4.1.1 and returns a success response message.

  5. The CA administrator sends the ResubmitRequest method to approve the request.

  6. The CA-CSRA server processes the request, as specified [MS-CSRA] section 3.1.4.1.3 and returns the disposition as an issued certificate.

  7. The CA administrator requests the CA to close the CA database view by calling the CloseView method.

  8. The CA-CSRA processes the CloseView method, as specified in [MS-CSRA] section 3.1.4.1.14 and returns a success response message.

D. Get the issued certificate

Request for the issued certificate

Figure 22: Request for the issued certificate

  1. After the certificate has been approved by the CA administrator, the caller of the certificate, by using the WCCE client, requests the issued certificate from the CA by calling the Request method, as specified in [MS-WCCE] section 3.1.1.4.3.7.

  2. The CA processes the request and returns the issued certificate to the WCCE client.

Final System State

  • The end entity has the issued certificate request from the CA.

  • The CA-WCCE server store the request fields in the Request table, as specified in [MS-WCCE] sections 3.2.1.4.2.1.4.4 and 3.2.1.4.2.1.4.5, along with the status of the certificate request and the end entity details.

  • The CA-CSRA server has updated the extension table.