3.2.1.4.3.2.15 PropID = 0x0000000F (CR_PROP_CAXCHGCERT) "CA Exchange Certificate"

The client has requested the CA exchange certificate. The CA MUST follow these processing rules to process the client's request:

  1. If the PropIndex parameter is not equal to 0x0 or 0xFFFFFFFF, return the E_INVALIDARG (0x80070057) error to the client.

  2. If Current_CA_Exchange_Cert element is NULL, load exchange certificate as follows:

    • Clear all contents from the Store_CA_Exchange_Cert list and set it back to NULL

    • Read each entry from the Config_CA_Exchange_Cert list. For each entry:

      • Retrieve the certificate from the request database by finding the row with Certificate_Hash equal to the Config_CA_Exchange_Cert entry value.

      • If the certificate is found and it meets the following criteria, add it to the Store_CA_Exchange_Cert element.

        • The certificate is within its validity period.

        • The issuer name of the certificate matches the subject name of the current CA signing certificate.

        • The public key that signed the certificate matches the public key of the current CA signing certificate.

    • Populate the Current_CA_Exchange_Cert element with the certificate from Store_CA_Exchange_Cert with the latest notAfter date.

  3. If no entries were found in Config_CA_Exchange_Cert above, or if no certificates met the criteria to be added to Store_CA_Exchange_Cert above, or if Current_CA_Exchange_Cert is not NULL and any of the following is true:

    • Current_CA_Exchange_Cert is not within its validity period.

    • Current_CA_Exchange_Cert is revoked.

      Create a new exchange certificate as specified in section 3.2.1.4.3.2.15.1. Then go through the list Store_CA_Exchange_Cert and add the hash value of each certificate, including the new exchange certificate, to the Config_CA_Exchange_Cert list.

  4. By this point there should be a valid exchange certificate in Current_CA_Exchange_Cert. Return the contents of this datum by marshaling it in a CERTTRANSBLOB (section 2.2.2.2) structure as specified in section 2.2.2.2.2. Marshaling rules for the CERTTRANSBLOB structure are specified in section 2.2.2.2.