Page tree
Skip to end of metadata
Go to start of metadata

OBEs use this service to download a previously requested Identification Certificate. 

HTTP Request BodyEmpty

HTTP Request Headers

HTTP Header 'Download-Req' containing a Base64 encoded ASN.1 serialized SecuredAuthenticatedDownloadRequest containing a SignedAuthenticatedDownloadRequest containing a ScopedAuthenticatedDownloadRequest containing an AuthenticatedDownloadRequest with a filename property of the form [0-9A-F]{16}_i.zipwhere the group of 16 hexadecimal digits is the device's request hash obtained from the provision identification certificate request, and i is a file iterator in hexadecimal starting at 0 (both are case insensitive). Example: corresponds to i = 15, for a device with request hash AB09281C9867DE53. There shall be exactly one identification certificate per file.

Range (optional) as defined in RFC 2616:

To support partial downloads for resuming interrupted transfers.  Examples: 

  1. From byte offset 500 to 700:  Range : bytes=500-700
  2. Starting from byte offset 1000 to the end:   Range : bytes=1000-
HTTP Response BodyIf no Range header is present, the entire tar file corresponding to the requested batch.  If a Range header is present, the specified bytes of the referenced file.


  1. The requested certificate has already been generated
  2. The requesting device has not been previously revoked


  1. The zip file corresponding to the certificate specified in the request URL is returned.
  2. The content of the tar file is organized as a flat directory containing 1 file named as in:
    • X_i
    • X shall be the lower 8-bytes of the SHA-256 hash (16 hexadecimal digits) of the device request in hexadecimal (case insensitive)
    • Where there is no extension

Error Handling

See "RA-EE Errors" in Overview of Used Error Codes

Quality of Service

For PoC the volume for this interface is still TBD but is not expected to have significant impact on system throughput requirements.

Quality of Protection

  • RA protects access with HTTPS (TLS V1.2)
  • Supports at a minimum OpenSSL cipher suite ECDHE-ECDSA-AES128-SHA256
  • Uses certificate-based client authentication of data signed by the device enrollment certificate, validated at the application layer. This is a supplement to the one-way TLS authentication, to provide two-way authentication with a TLS/1609.2 hybrid scheme.