Page tree
Skip to end of metadata
Go to start of metadata
Target release

Release 1.0

Document owner
Reviewer

Goals

The goal is to define messages and other requirements for an RSE to request an application certificate.

Background and Strategic Fit

The RSE decides to request an application certificate from its preconfigured RA.

Having determined which RA to submit the request to, the RSE creates a request, signs it with the enrollment certificate, encrypts the signed request for the RA and sends it to the RA. The RA checks to make sure that the request is correct and authorized.

RSE will attempt to download the local certificate chain file (LCCF) and the local policy file (LPF) before submitting the request. Note that any EE should download the local policy file and local certificate chain file each time it connects to RA.

Assumptions

The RSE has successfully completed Use Case 12: RSE Bootstrapping (Manual).

Process Steps

  1. The RSE downloads the Local Policy File (LPF) and the Local Certificate Chain File (LCCF) using the API documented in RA - Download local policy file and RA - Download Local Certificate Chain File
    1. If there is an updated LCCF, the RSE applies all changes to its trust-store (necessary for PCA Certificate Validations)
    2. If there is an updated LPF, the RSE applies those changes
  2. The RSE creates the request, signs it with the enrollment certificate, encrypts the signed request to the RA and sends it to the RA using the API documented in RA - Request Application Certificate Provisioning
  3. The RA ensures that the certificate batch request is correct and authorized, before it starts Step 13.2: Generate RSE Application Certificate

Error Handling 

  1. The RSE will abandon further interactions with the RA after a certain number of failed communication attempts result in errors.

Requirements

Key Status Summary Description justification notes Component/s
Loading...
Refresh

Use Case 13.1 - Requirements

Design

RSE-RA Communication

EE Request

The EE initiates the certificate request message in order to provide the RA with critical information (key parameters, current time, etc.) necessary for RSE application certificate generation. EE will send a certificate request message each time it requires a new certificate. 

Security / Privacy

The Certificate Provisioning Request message shall use signing and encryption to ensure:

  • The request has not been modified in transit
  • The RA can verify the message came from the device
  • The request is shared confidentially between the device and RA

The EE shall sign the request with the enrollment certificate. The EE shall also encrypt the request using the RA certificate and encapsulate in a 1609.2 frame of type encrypted. 

Message Contents

The EE shall use the ASN.1 defined for creating the request certificate message, details can be found at RA - Request Application Certificate Provisioning. In order for a request to be validated by the RA, the EE shall include the following information in the certificate provisioning request message:

  • Version
  • EE enrollment certificate
  • A signed certificate signature key (signed with enrollment certificate)
  • A response encryption key that PCA would use to encrypt the issued certificate to EE
  • Optionally: a certificate encryption key that PCA would include in the issued certificate
  • Current device time: 32-bit denoting number of seconds since the Epoch (as defined in 1609.2)
  • Requested certificate start time: 32-bit denoting number of seconds since the Epoch (as defined in 1609.2)

RA Response

The RA response to the certificate provisioning request message may be accept (indicated by a request acknowledgement) or reject (indicated by a HTTP 500). In case of reject, RA shall return error code "HTTP 500" to EEs. Specific error codes should be hidden from EEs and not provide useful information to malicious actors. The RA shall log the specific error for future investigation.

RA - EE Request Acknowledgement

The request acknowledge message is initiated by the RA in response to a certificate provisioning request message successfully received from the EE. If the EE request is received and processed without triggering an error (invalid signature, blacklisted, etc.), the RA processes the certificate request and begins certificate pre-generation. The request acknowledge message provides the EE with an URL and the time where and at which the first certificate batches will be available for download.

Security / Privacy

The request acknowledge message shall use signing and encryption to ensure:

  • The request has not been modified in transit
  • The device can verify that the message came from the RA
  • The request is shared confidentially between the device and RA

The RA shall sign and encrypt the request acknowledge message using the RA certificate and encapsulate in a 1609.2 frame of type encrypted. 

Message Contents

The RA shall use the ASN.1 defined for creating the request acknowledge message in RA - Request Application Certificate Provisioning and shall include the following information:

  • Case: Certificate Provisioning Request Accept
    • Version
    • Low order 8-bytes of the SHA-256 hash of the encoded "ToBeSigned" certificate request from the device. Returns 0 if RA cannot calculate hash of the original request
    • Time at which the first certificate file will be available for download (represented by IEEE 1609.2 Time32)
    • URL of the certificate repository (common for all devices serviced by an specific RA)
  • Case: Certificate Provisioning Request Reject
    • HTTP-500 Error Code

EE Response

If the RA provides a positive acknowledgement (accept) to a certificate provisioning request, the EE moves forward with the certificate download process using the provided URL given in the acknowledge message.

If the EE does not receive an acknowledgement from the RA in response to the request within defined time, EE should retry. Several conditions may necessitate the EE sending the request more than once. This may be due to:

  • Request lost in transit (no TCP ack)
  • RA offline, unavailable or RA network address has changed (EE must query DNS for latest RA network information)
  • EE possesses an invalid RA certificate and cannot establish secure communications
  • EE received HTTP-500 Error Code

The EE should not attempt to transmit the Request Certificate message without completing the prerequisites.

ASN.1 Specification

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.