1.4 Relationship to Other Protocols

The Windows Client Certificate Enrollment Protocol depends on the Distributed Component Object Model (DCOM) Remote Protocol [MS-DCOM]. The DCOM Remote Protocol is built on top of the Remote Procedure Call Protocol Extensions (RPCE) [MS-RPCE], and the Windows Client Certificate Enrollment Protocol accesses RPCE directly to obtain certain security settings for the client-to-server connections. The Windows Client Certificate Enrollment Protocol depends on the Netlogon Remote Protocol Specification [MS-NRPC] for locating the domain controller (DC).

The Windows Client Certificate Enrollment Protocol uses the Hypertext Transfer Protocol -- HTTP/1.1 [RFC2616] for retrieving CRLs. When using HTTP, the behavior will be to use HTTP v1.1 (see [RFC2616]) on port 80 unless one of the following cases:

  • The URL has a prefix of "https://" in which case it uses port 443.

  • A URL explicitly specifies an alternative port, or the processing rule explicitly requests an alternative port.

The HTTP v1.1 behavior is to use persistent connections.

The Windows Client Certificate Enrollment Protocol uses the DCOM Remote Protocol to create and use DCOM object (2) references to server objects, as specified in section 2.1 of this document and [MS-DCOM] section 3.2.4.1. The Windows Client Certificate Enrollment Protocol also uses the DCOM Remote Protocol to select authentication settings. The specific parameters passed from the Windows Client Certificate Enrollment Protocol to the DCOM Remote Protocol are specified in section 2.1.

Using input from a higher-layer protocol or application, the DCOM Remote Protocol negotiates its authentication method and settings by using the Generic Security Service Application Programming Interface (GSS-API) (as specified in [RFC2478]), and these settings are in turn passed to the activation request and object remote procedure calls (ORPC) made by the DCOM client to the DCOM server, as specified in [MS-DCOM] sections 3.2.4.1.1.2 and 3.2.4.2. The following figure shows the layering of the protocol stack.

Windows Client Certificate Enrollment protocol stack

Figure 2: Windows Client Certificate Enrollment protocol stack

Data structures that are defined in the certificate template structure specification (see [MS-CRTD]), can be retrieved over LDAP, as specified in [RFC2559], and used by the Windows Client Certificate Enrollment Protocol.

The Certificate Services Remote Administration Protocol [MS-CSRA] is a management protocol for the Windows Client Certificate Enrollment Protocol server. When implemented together Windows Client Certificate Enrollment Protocol shares ADM with Certificate Services Remote Administration Protocol [MS-CSRA] as specified in sections 3.2.1.1 and 3.2.1.1.3.

The ICertPassage Remote Protocol [MS-ICPR] is another certificate enrollment protocol that is built directly on top of the Remote Procedure Call Protocol Extensions (RPCE) [MS-RPCE]. When implemented together the Windows Client Certificate Enrollment Protocol shares some of its ADM with ICertPassage Remote Protocol [MS-ICPR], as specified in [MS-ICPR] 3.1.1 and 3.2.1.

The Encrypting File System Remote (EFSRPC) Protocol [MS-EFSR] depends on the Windows Client Certificate Enrollment Protocol.

Indirectly, as an example, other protocols that rely on certificates for authentication (such as the Transport Layer Security Protocol (TLS), [RFC2246]) can use this protocol for certificate enrollment and issuance.