2.5.2 Use Case Summary
There are two main use cases for the CA system:
Enroll for a Certificate
Administer the CA
The Enroll for a Certificate use case is the most important use case for this system. In its simplest form, it allows a caller, either an end entity or an enrollment agent, to request a certificate from a CA. See the examples in sections 3.1 and 3.3. Upon successful completion of the use case, the end entity receives a certificate signed by the CA.
Common variations of the certificate enrollment use case are as follows:
Certificate renewal is when an end entity already has a valid certificate and uses the private key that is associated with that certificate to sign a renewal request for a new certificate of the same type.
Enrollment on behalf of another user introduces an enrollment agent who acts as a cosigner for the certificate request to provide a higher level of control in the enrollment process.
Autoenrollment reduces the burden on the server administrator by automatically enrolling and renewing certificates.
Certificate enrollment with CA administrator approval interrupts the automatic flow of the certificate enrollment to allow the administrator to modify the request itself, modify the resulting certificate, or approve or deny the request.
The Administer the CA use cases include generic functions such as editing the CA configuration, as well as more specific functions such as revoking certificates or recovering escrowed private keys from a CA.
The primary CA administration use cases are:
Edit CA configuration settings
Revoke a certificate
Recover an archived certificate and key