2.5.3.1 Enroll for a Certificate
Figure 11: Enroll for a certificate
This use case allows a caller, either an end entity, enrollment agent, or autoenrollment client, to request a certificate from a CA. Upon successful completion of the use case, the end entity receives a certificate signed by the CA.
Goal: To enroll for a certificate so that the end entity is issued a certificate.
Context of Use: An end entity can use a certificate for any number of different reasons and scenarios. When a certificate is required, a caller generates a certificate request and submits a certificate request to the CA, as specified in [MS-WCCE]. The certificate enrollment can either be a new enrollment or a renewal. In the renewal case, an existing certificate is used to sign a request for a new certificate of the same type before it is submitted to the CA. Depending upon the scenario, the caller might be an enrollment agent or autoenrollment client, rather than the end entity. In the Enroll On Behalf Of (EOBO) use case, a certificate request is signed by an Enrollment Agent before being submitted to the CA. Autoenrollment use case automatically handles certificate enrollment and the re-enrollment of expired certificates, which relieves the administrator from this task.
Direct Actor: The direct actor of this use case is the end entity.
Primary Actors: The primary actors of this use case are the same as the direct actor, with the possible inclusion of an enrollment agent.
Supporting Actors: The CA administrator could be a supporting actor in this use case.
Stakeholders and Interests:
The primary interest of the end entity is to submit certificate requests and receive certificates.
The primary interest of the enrollment agent is to submit certificate request to the CA and receive certificates on behalf of the end entity.
The primary interest of the CA administrator is approving pending certificate requests so that the CA can issue them.
The primary interest of the autoenrollment client is to submit the end entity's certificate requests to the CA and to receive certificates automatically.
Preconditions: The end entity, and possibly the enrollment agent and CA administrator, require access to the CA.
Minimal Guarantee: The minimal guarantee is that end entity gets the error message that provides the reason why the certificate request was not issued.
Success Guarantee: The CA system guarantees that it can issue certificates when permitted by its policy algorithm.
Trigger: The certificate enrollment process is triggered when the CA receives a certificate request.
Main Success Scenario:
When the trigger occurs, the CA decides whether the certificate can be issued based on its policy.
The CA constructs a certificate based on the certificate request and its policy.
The CA signs the certificate and returns it to the client.
Extensions: Depending upon the configuration of the system, a CA administrator might be involved in the certificate enrollment decision process. When the certificate request is held in a pending state by the CA, it requires CA administrator approval before issuance, as specified in [MS-CSRA]. In the case of a request requiring administrator approval, the CA holds the request in a pending state until a CA administrator approves the request. After it is approved, the certificate is issued.
Post-conditions: The end entity received the required certificate from CA.