Attribute | Encoding | Comment |
---|---|---|
transactionID | PrintableString | Unique ID for this transaction as a text string |
messageType | PrintableString | Decimal value as a numeric text string |
pkiStatus | PrintableString | Decimal value as a numeric text string |
failInfo | PrintableString | Decimal value as a numeric text string |
failInfoText | UTF8String | Descriptive text for the failInfo value |
senderNonce | OCTET STRING | Random nonce as a 16-byte binary data string |
recipientNonce | OCTET STRING | Random nonce as a 16-byte binary data string |
Name | ASN.1 Definition |
---|---|
id-VeriSign | OBJECT_IDENTIFIER ::= {2 16 US(840) 1 VeriSign(113733)} |
id-pki | OBJECT_IDENTIFIER ::= {id-VeriSign pki(1)} |
id-attributes | OBJECT_IDENTIFIER ::= {id-pki attributes(9)} |
id-transactionID | OBJECT_IDENTIFIER ::= {id-attributes transactionID(7)} |
id-messageType | OBJECT_IDENTIFIER ::= {id-attributes messageType(2)} |
id-pkiStatus | OBJECT_IDENTIFIER ::= {id-attributes pkiStatus(3)} |
id-failInfo | OBJECT_IDENTIFIER ::= {id-attributes failInfo(4)} |
id-senderNonce | OBJECT_IDENTIFIER ::= {id-attributes senderNonce(5)} |
id-recipientNonce | OBJECT_IDENTIFIER ::= {id-attributes recipientNonce(6)} |
id-scep | OBJECT IDENTIFIER ::= {id-pkix 24} |
id-scep-failInfoText | OBJECT IDENTIFIER ::= {id-scep 1} |
Value | Name | Description |
---|---|---|
0 | Reserved | |
3 | CertRep | Response to certificate or CRL request. |
17 | RenewalReq | PKCS #10 certificate request authenticated with an existing certificate. |
19 | PKCSReq | PKCS #10 certificate request authenticated with a shared secret. |
20 | CertPoll | Certificate polling in manual enrolment. |
21 | GetCert | Retrieve a certificate. |
22 | GetCRL | Retrieve a CRL. |
Value | Name | Description |
---|---|---|
0 | SUCCESS | Request granted. |
2 | FAILURE | Request rejected. In this case, the failInfo attribute, as defined
in |
3 | PENDING | Request pending for manual approval. |
Value | Name | Description |
---|---|---|
0 | badAlg | Unrecognised or unsupported algorithm. |
1 | badMessageCheck | Integrity check (meaning signature verification of the CMS message) failed. |
2 | badRequest | Transaction not permitted or supported. |
3 | badTime | The signingTime attribute from the CMS authenticatedAttributes was not sufficiently close to the system time. This condition may occur if the CA is concerned about replays of old messages. |
4 | badCertId | No certificate could be identified matching the provided criteria. |
Request-type | Reply-contents |
---|---|
PKCSReq | The reply |
RenewalReq | Same as PKCSReq |
CertPoll | Same as PKCSReq |
GetCert | The reply |
GetCRL | The reply |
Keyword | Description |
---|---|
AES | CA supports the AES128-CBC encryption algorithm. |
DES3 | CA supports the triple DES-CBC encryption algorithm. |
GetNextCACert | CA supports the GetNextCACert message. |
POSTPKIOperation | CA supports PKIOPeration messages sent via HTTP POST. |
Renewal | CA supports the Renewal CA operation. |
SHA-1 | CA supports the SHA-1 hashing algorithm. |
SHA-256 | CA supports the SHA-256 hashing algorithm. |
SHA-512 | CA supports the SHA-512 hashing algorithm. |
SCEPStandard | CA supports all mandatory-to-implement
sections of the SCEP standard. This keyword implies "AES",
"POSTPKIOperation", and "SHA-256", as well as the provisions of
|
Client Sends PKCSReq message with transactionID 1 to the CA. The CA signs the certificate and constructs a CertRep Message containing the signed certificate with a transaction ID 1. The client receives the message and installs the certificate locally.