3.2.1.4.3.2.37 PropID = 0x00000025 (CR_PROP_CAFORWARDCROSSCERTSTATE) "CA Forward Cross Certificate State"

The client requested the state of all forward cross certificates. If the server implements the Signing_Forward_Cross_Certificate column, it MUST return a byte array that MUST contain the status for each one of the forward cross certificates. Otherwise, the server MUST return an empty CERTTRANSBLOB (section 2.2.2.2) structure.

The disposition's value SHOULD be one of the following.

 Value

 Meaning

CA_DISP_INCOMPLETE (0x00)

The certificate is incomplete.

CA_DISP_ERROR (0x01)

The certificate is unavailable.

CA_DISP_REVOKED (0x02)

The certificate has been revoked.

CA_DISP_VALID (0x03)

The certificate is valid.

CA_DISP_INVALID (0x04)

The certificate has expired.

The CA MUST return the byte array in a CERTTRANSBLOB (section 2.2.2.2) structure. The first byte MUST identify the status for the first forward cross certificate, and the second byte MUST identify the same for the second forward cross certificate. Subsequent bytes MUST repeat this pattern.

The content of the byte array returned in the CERTTRANSBLOB (section 2.2.2.2) structure is best explained by an example. Assume that the client has renewed its CA certificates in the following manner.

CA certificate 0 contains the original key.

CA certificate 1 is created by renewing CA certificate 0 with a new key.

CA certificate 2 is created by renewing CA certificate 1 with the key used to create CA certificate 1. A new key is not used.

CA certificate 3 is created by renewing CA certificate 2 with a new key.

Two forward cross certificates exist, the first from certificate 0 to 1 and the second from certificate 2 to 3. The following table identifies the values of the byte array returned by this property.

 Byte

 Value

 Meaning

0

Any

Contains the status of the forward cross certificate from CA certificate 0 to CA certificate 1. This can be any value from the preceding disposition table.

1

0x01

Because the CA was renewed by using the same key, there is no forward cross certificate, and the status is unavailable.

2

Any

Contains the status of the forward cross certificate from CA certificate 2 to CA certificate 3. This can be any value from the preceding disposition table.

3

0x01

The last CA certificate cannot have a forward cross certificate.