1.4 Relationship to Other Protocols
The Health Certificate Enrollment Protocol uses HTTP (as specified in [RFC2616]) or HTTP over TLS (as specified in [RFC2818]) as the transport for its messages. The payload of an HCEP request message that is sent by the HCEA, contains a PKCS #10 certificate request (as specified in [RFC2986]), which contains an SoH message (as specified in [TNC-IF-TNCCSPBSoH] section 3.5).
If the client's health state is compliant, the health registration authority (HRA) requests a certificate authority (CA) to issue a certificate. The Microsoft implementation of the HRA uses the Windows Client Certificate Enrollment Protocol [MS-WCCE] to request and receive the certificate; other implementations can choose different means of communication between HRA and CA. If the client's health state is not compliant, the HRA can still request a certificate from the certificate authority, with the certificate containing an indication that the client is unhealthy.
The HRA sends an HCEP response, the payload of which contains an SoHR, as specified in [TNC-IF-TNCCSPBSoH] section 3.6, and if the client is compliant with health policies, it also includes a PKCS #7 message (as specified in [RFC2315]) with possibly an X.509 certificate, as specified in [RFC3280].
Figure 2: Diagram illustrating the relationship between HCEP and other protocols