1.3.1 High-Level Protocol Operations

The high-level operations performed by the Windows Client Certificate Enrollment Protocol are the following:

  1. Request a new certificate for the client directly from the CA. (For more information, see section 3.1.1.4.3.1.) This operation makes one ICertRequestD::Request or ICertRequestD2::Request2 call from the client to the CA.

  2. Get a new certificate on behalf of another through a Request On Behalf Of (ROBO) process. The registration authority (RA) requests a certificate on behalf of a client – a person (usually) or machine (potentially). For more information, see section 3.1.1.4.3.3. This operation makes one ICertRequestD::Request or ICertRequestD2::Request2 call from the RA to the CA.

  3. Renew a certificate in which the client requests a certificate (presumably with a later expiration date) to replace an old certificate that is reaching its end of life (for more information, see section 3.1.1.4.3.2). This operation makes one ICertRequestD::Request or ICertRequestD2::Request2 call from the client to the CA.

  4. Get CA properties in which a client or RA queries the CA for its configuration and state (for more information, see sections 3.1.1.4.4, 3.1.1.4.6, and 3.1.1.4.7). This operation makes one ICertRequestD::GetCACert or ICertRequestD2::GetCAProperty call to the CA.

  5. Issue a Ping request against a CA in which an end entity or RA queries the CA to discover availability of the CA service (for more information, see section 3.1.1.4.5). This operation makes one ICertRequestD::Ping or ICertRequestD2::Ping2 call to the CA.

  6. Archive a private key where a client uses a public key belonging to the CA to encrypt a copy of the private key corresponding to an encryption certificate and sends that encrypted private key to the CA for archiving. This archiving is an optional subprotocol, with security considerations specified in section 5.1.10. (For more information, see section 3.1.1.4.3.6.) This operation makes two calls from the client to the CA: ICertRequestD::GetCACert or ICertRequestD2::GetCAProperty to retrieve the CA exchange certificate, followed by ICertRequestD::Request or ICertRequestD2::Request2 to deliver a certificate request including the encrypted private key.