3.1.4.1.3 ICertAdminD::ResubmitRequest (Opnum 5)

The ResubmitRequest method resubmits a specific pending or denied certificate request to the CA.

 HRESULT ResubmitRequest(
   [in, string, unique] wchar_t const* pwszAuthority,
   [in] DWORD dwRequestId,
   [out] DWORD* pdwDisposition
 );

pwszAuthority: See the pwszAuthority definition in ICertAdminD::SetExtension (section 3.1.4.1.1).

dwRequestId: A 32-bit nonzero unsigned integer value that specifies the ID of the certificate request.

pdwDisposition: A pointer to an unsigned integer value that receives the disposition status of the certificate (upon resubmission).

This method instructs the CA to try again to process a previously submitted certificate request, which is in a pending or denied state.

The following processing rules apply:

  1. The CA MUST validate that the Unicode string referenced by pwszAuthority matches (case-insensitive) the full CN or the sanitized name of the CA. Sanitized name is defined in [MS-WCCE] sections 1.3.2.5 and 3.1.1.4.1.1. If the value does not match, the server MUST fail the request. The error code SHOULD be 0x80070057.

  2. The CA MUST look up the request based on the provided dwRequestId parameter in the request table:

    • If the request is not found, the CA MUST place 0x80094004 in the pdwDisposition parameter and return successfully.<21>

    • If the request is found in the CA database, the row is referred to as the identified row in the following processing rules.

    • The CA MUST verify that the value of the Request_Disposition column in the identified row is "request pending" or "request denied".

    • If the value of the Request_Disposition column in the identified row is not "request pending" or "request denied", the CA MUST place 0x80094003 in the pdwDisposition parameter and return successfully.

    • If the value of the Request_Disposition column in the identified row is "request denied" and the invoker of the method is not the CA administrator, the CA MUST place 0x80094003 in the pdwDisposition parameter and return successfully.

  3. The CA MUST try to process the request as if it is a new request, as specified in [MS-WCCE] section 3.2.1.4.2.1.4, ignoring step one in [MS-WCCE] section 3.2.1.4.2.1.4.5.

  4. If the request processing results in the CA issuing the certificate, the CA MUST place a 3 in the pdwDisposition parameter and return successfully.

  5. If the request processing results in the denial of the certificate by the CA policy algorithm, the CA MUST set the Request_Disposition column of the identified row to "request denied", place a nonzero-zero error code in the pdwDisposition parameter, and MUST return successfully. Error codes are specified in [MS-ERREF]. All nonzero values of pdwDisposition SHOULD be treated equivalently by the client.

  6. If the request processing results in the CA pending the certificate, the CA MUST place a 5 in the pdwDisposition parameter and return successfully.

  7. If the request processing results in an error on the CA or in the policy algorithm, the CA MUST set the Request_Disposition column of the identified row to "request failed", MUST place an error code that is not equal to 2, 3, or 5 in the pdwDisposition parameter, and MUST return successfully. Error codes are specified in [MS-ERREF]. All nonzero values of pdwDisposition other than 2, 3, or 5 SHOULD be treated equivalently by the client.

  8. The CA SHOULD set the Request_Disposition_Message column of the identified row to any value the implementer considers informative for presentation to a human reader.

    All disposition messages contain text in the system language of the server.

    The disposition message provides additional information, if available, about the reason for the assignment of a particular disposition value or the details of the certificate disposition:

    If the return value is Error (30), the disposition messages will include one or more of the following:

    Error archiving private key. - This occurs if the CA encountered an error or was otherwise unable to archive a private key sent with the request.

    Error parsing request. - This occurs if the request is malformed.

    Error verifying request signature or signing certificate. - This occurs if the signature signing the request or the signature on a request signing certificate could not be verified.

    Resubmitted by {domain\name}, where {domain\name} is replaced with the user name of the caller if the request was submitted by using the ResubmitRequest method of this protocol.

    If the return value is Denied (31), the disposition messages will include one or more of the following:

    • Denied by {domain\name}, where {domain\name} is replaced with the user name of the caller if the request was submitted by using the DenyRequest method of this protocol.

    • Denied by policy module. - This occurs if the policy module processing failed one or more of the checks required to issue a certificate.

    • Denied by policy module, combined with a descriptive error message. - This occurs when the policy module processing failed one or more of the checks required to issue a certificate and an additional error code was generated. Other Windows error messages are as documented in [MS-ERREF].

    • Requested by {domain\name}, where {domain\name} is replaced with the user name of the caller if the request was formerly in a pending state and was issued by using the ResubmitRequest method of this protocol.

    If the return value is Issued (20), the disposition messages include the following:

    • Requested by {domain\name}, where {domain\name} is replaced with the user name of the caller.

    • Issued. - This occurs if the certificate was issued and no additional information is required.

    • Issued, combined with a descriptive informational message from the policy algorithm. - This occurs if additional information relevant to the certificate issuance is available, for example, if a certificate validity period was truncated from the requested length.

    • Resubmitted by {domain\name}, where {domain\name} is replaced with the user name of the caller if the request was formerly in a pending state and was issued by using the ResubmitRequest method of this protocol.

    If the return value is Pending (9), the disposition messages include the following:

    Taken under submission. - This occurs if the CA or the certificate template is configured to require manager approval for certificate issuance. Prior to manager approval, the certificate will be in a pending or "taken under submission" disposition.