1.3 Overview

  • Article

The WS-Trust X.509v3 Token Enrollment Extensions (WSTEP) defines the token enrollment profile for WS-Trust [WSTrust1.3] to allow a client to request X.509v3 certificates.

Existing certificate authorities (CAs) support Abstract Syntax Notation One (ASN.1) formats such as PKCS#10 ([RFC2986]), PKCS#7 ([RFC3852]), or CMC ([RFC2797]) to encode a certificate request, and those requests are carried in an existing protocol, such as Windows Client Certificate Enrollment Protocol [MS-WCCE] or Cisco's SCEP ([SCEP]). WSTEP also carries those requests from the client to the issuer.

WSTEP provides for issuance, renewal, and delayed-issuance scenarios for X.509v3 digital certificates. The server is known in WS-Trust [WSTrust1.3] terminology as a Security Token Service (STS).

The WS-Trust protocol [WSTrust1.3] definition provides the framework for the STS and for enrollment profile extensions. A typical client interacts with a STS with a request security token (RST) message. The STS responds to a client request security token message with a request security token response (RSTR) or a SOAP fault.

Typical sequence for certificate enrollment

Figure 1: Typical sequence for certificate enrollment

The following figure shows a scenario in which a request cannot be satisfied immediately. In this scenario, the client makes a request, and the server reply indicates that the request is pending some other action. The client then queries the request at a later time, presumably after any conditions for its satisfaction have been met, and receives a reply that the request was issued, rejected, or is still pending.

Typical sequence for a pended certificate enrollment request

Figure 2: Typical sequence for a pended certificate enrollment request

In some circumstances, the client request could be rejected. In these instances, the STS responds with a SOAP fault. The following figure shows the typical sequence.

Typical sequence for a rejected certificate renewal request

Figure 3: Typical sequence for a rejected certificate renewal request

The following figure is an example of a message exchange for a renewal request. A renewal request uses an existing certificate and requests a new lifespan. From the point of view of the WSTEP protocol, this is the same as an issue request, as the message format is unchanged.

Typical sequence for a certificate renewal request

Figure 4: Typical sequence for a certificate renewal request