3.2.5.1 Processing A SignCert Request Message

Upon receiving a SignCert Request message (section 2.2.2), the server performs the following steps:

  1. Validate the certificate request received in the SignCert Request message:

    • The user name inside the certificate request MUST match the OTP user name received in the username attribute of the SignCert Request message. If the user name appears in multiple places in the certificate request, all instances MUST match the OTP user name.

    • The certificate template named in the user certificate request MUST NOT be empty and it MUST be the one that is configured in the server.

    • The certificate request MUST be digitally signed with a valid signature, as specified in [RFC2986].

      If the validations fail, the server MUST stop processing the request and send a SignCert Response message (section 2.2.3) to the client with a status of OtherError, without setting the SignedCertRequest and IssuingCA attributes.

  2. Validate that the user name is listed in Active Directory, as specified in [MS-ADTS]. If the validation fails, the server MUST stop processing the request and send a SignCert Response message to the client with a status of AuthenticationError, without setting the SignedCertRequest and IssuingCA attributes.

  3. Validate user name, static password (if available), and one-time password with the first OTP server represented in the OTP servers information ADM element using the Password Authentication Protocol (PAP) [RFC1334] over Remote Authentication Dial-In User Service (RADIUS) to validate the OTP credentials. If the validation fails, the server MUST stop the processing and send a SignCert Response message with an error status corresponding to the response received from OTP server:

    • If the OTP server cannot be reached, the server MUST send a status of OtherError to the client.

    • If the response from the OTP server is Access-Reject, the server MUST send a status message of AuthenticationError to the client.

    • If the response from OTP server is Challenge-Response, the server MUST send a status message of ChallengeResponseRequired to the client.

    The SignedCertRequest and IssuingCA attributes are not set upon failure.

  4. Sign the certificate request that was part of the SignCert Request message using the dedicated signing certificate. If this operation fails, the server MUST send a status message of OtherError to the client.

    The SignedCertRequest and IssuingCA attributes are not set upon failure.

  5. Verify that the list of CA servers in the CA servers list ADM element is not empty and pick the first CA server from the list. If this operation fails, the server MUST send a status message of OtherError to the client.

  6. When a certificate is successfully signed, the server MUST create a SignCert Response message with the following values in it:

    • The statusCode attribute is set to Success.

    • The SignedCertRequest attribute value is set to the signed certificate enrollment request.

    • The IssuingCA attribute is set to the name of the first or several high-ranked CA servers from the CA servers list ADM element.

Then the server MUST send the response back to the client.