3.1.1.1.1 Request Table Required Data Elements

Values for the following elements are required in the Request table:

Request_Request_ID: Column name "Request.RequestID". A field that is used to uniquely identify the request in the table and to link to the Attribute and Extension tables. This field MUST have a positive value.

Request_Raw_Request: Column name "Request.RawRequest". The raw request, as delivered by ICertRequestD or ICertRequestD2, as specified in [MS-WCCE] section 2.2.2.6.

Request_Disposition: Column name "Request.Disposition". Identifies the certificate status.

Possible values are listed as follows. This specification refers to these abstract values as these strings. An implementation is free to use any representation for these values.<5>

Value

Description

Request failed

A certificate was never issued in response to the certificate request. The request cannot be resubmitted.

Request denied

A certificate was never issued in response to the certificate request. The request can be resubmitted by using the ResubmitRequest method.

Request pending

The request is in a state in which the decision whether to issue a certificate has not yet been made. The request can be denied by using the DenyRequest method. The request can be submitted again for issuance by using the ResubmitRequest method.

Certificate issued

A certificate was issued in response to the certificate request.

Certificate revoked

A certificate was issued, and subsequently the RevokeCertificate function was called, specifying the serial number of the certificate, in such a way that server processing rule #6 of the RevokeCertificate function was executed.

Foreign certificate

A certificate was issued by a different CA and then imported into the CA by using the ImportCertificate method.

Raw_Certificate: Column name "RawCertificate". The certificate that was issued for a request (if a certificate was issued).

Request_Raw_Archived_Key: Column name "Request.RawArchivedKey". Any private key that is archived as part of a certificate request. Archived keys are generally encrypted with a key recovery agent (KRA) key. The format for the encrypted private key is specified in [MS-WCCE] section 3.1.1.4.3.6.

Request_Revocation_Date: Column name "Request.RevokedEffectiveWhen". This CERTTIME field is used as the revocationDate for a certificate in a CRL (CRL as specified in [RFC3280] section 5.1). This field is initialized as NULL and updated by the RevokeCertificate method. The CA does not put a certificate serial number in a base or delta certificate revocation list (CRL) until the time specified in the Request_Revocation_Date has passed for that certificate.

The Request_Revocation_Date field does not follow all the revocationDate rules that are defined in [RFC3280] because the Certificate Services Remote Administration Protocol client can specify and change this field when necessary. This flexibility is achieved by client calls to the RevokeCertificate functionality of the server, which is described in this protocol specification.

Certificates can be retroactively revoked; they can be revoked again by specifying any revocation date. They can also be changed to a state in which applications that verify revocation do not recognize the certificate as revoked. This state is achieved by specifying a future date for the revocation, including future dates that are subsequent to the expiry date that is recorded in the certificate.

Multiple requirements of [RFC3280] can be violated by the preceding behaviors. The Request_Revocation_Date can differ from the "date on which the revocation occurred..." (referenced in [RFC3280] section 5.1.2.6) or can differ from "...the date at which the CA processed the revocation" (referenced in [RFC3280] section 5.3.3). Changing revocation to a future date that is beyond the date of the next CRL violates the requirements of [RFC3280] section 3.3. This section states in part, "An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate's validity period". Note that a CRL cannot list a certificate that is not yet revoked, as determined by its revocation date. Retroactive revocation - that is, using a revocation date that is prior to the issuance of one or more existing CRLs-violates the rule that the "revocation date SHOULD NOT precede the date of issue of earlier CRLs", as defined in [RFC3280] section 5.3.3.

Request_Revoked_Reason: Column name "Request.RevokedReason". When a certificate has been revoked, this element provides the reason for the revocation.

The Request_Revoked_Reason is similar to the reasonCode that is specified in [RFC3280] section 5.3.1, except that the protocol supports only a subset of the values that the RFC defines, and it supports one additional value, as shown in the following table.

Revocation reason

Value

unspecified

0x00000000

keyCompromise

0x00000001

cACompromise

0x00000002

affiliationChanged

0x00000003

superseded

0x00000004

cessationOfOperation

0x00000005

certificateHold

0x00000006

removeFromCRL

0x00000008

Release from hold

0xffffffff

Serial_Number: Column name "SerialNumber". The issued certificate serial number.

Publish_Expired_Cert_In_CRL: Column name "PublishExpiredCertInCRL". This Request table column specifies whether the certificate whose serial number is identified in Serial_Number is to be included in CRLs if the certificate is revoked, even after it has expired.

This Request table column is a Boolean value, as shown in the following table.

Value

Description

1

The certificate whose serial number is identified in Serial_Number is to be included in CRLs if it is revoked, even after the certificate has expired.

0

The revoked certificate must not be included in CRLs after it has expired.