For the certificate renewal process, MDE modifies the RequestSecurityToken message as follows. The remainder of the definition for the RequestSecurityToken message is as specified in section

Because the enrollment client uses the existing certificate to perform client Transport Layer Security (TLS), the security token is not populated in the SOAP header. As a result, the ES is required to support client TLS.

The following elements and attributes MUST be included as specified in the SOAP body of the request message.

wst:RequestType: The <wst:RequestType> element MUST be the value "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew" (see [WSTrust1.3] section 3.1).

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/windows/pki/2009/01/ enrollment#PKCS7".