4 Protocol Examples

The client determines through implementation-specific procedures that a health certificate is required. In a common scenario, the client is connected to a network, but the client does not have a valid health certificate for communicating on that network. To access the network, the client has to acquire a new health certificate. After the HCEP enrollment process is invoked, the following sequence of events occurs.

Compliant Client Example

  1. The HCEA obtains the statement of health (SoH) from the system health entity.

  2. The HCEA then generates a public-private key pair and constructs a health certificate request (see section 2.2.1.4).

  3. The client creates the HCEP request (see section 2.2.1) and sends it to a preconfigured HRA URL.

  4. The HRA receives the HCEP request, extracts the SoH from the certificate request, and passes the SoH on to a health policy server that evaluates the SoH in the request.

  5. The health policy server responds with the statement of health response (SoHR), which contains the client's health state compliance to network policies.

  6. If the client is compliant with network policies, the HRA obtains a health certificate for the certificate request in the HCEP request. This can be done by using the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE].

  7. The server creates an HCEP response (see section 2.2.2) and sends it to the client.

  8. If a certificate was received in the HCEP response, the HCEA extracts the certificate and deposits it in the PersistedComputerCertificates ADM element specified in section 3.1.1.

Noncompliant Client Example

  1. The HCEA obtains the SoH from the system health entity.

  2. The HCEA generates a public-private key pair and constructs a health certificate request (see section 2.2.1.4).

  3. The client creates the HCEP request (see section 2.2.1) and sends it to a preconfigured HRA URL.

  4. The HRA receives the HCEP request, extracts the SoH from the certificate request and passes the SoH on to a health policy server that evaluates the SoH.

  5. The health policy server responds with the SoHR and the noncompliant results of the evaluation of the client's health state compliance with network policies.

  6. The HRA can obtain a health certificate for the certificate request in the HCEP request. This might be accomplished by using the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE].

  7. The server creates an HCEP response (see section 2.2.2) and sends it to the client.

  8. If a certificate was received in the HCEP response, the HCEA extracts the certificate and deposits it in the PersistedComputerCertificates ADM element specified in section 3.1.1.