Provide a bootstrapped RSE with an application certificate that it can use in relevant applications.
Background and Strategic Fit
The application certificate provisioning is the process by which a bootstrapped RSE receives an application certificate. As there are no location privacy or tracking concerns for RSEs, the RA is not required to shuffle the requests (unlike the case of OBEs).
This use case involves the following SCMS components:
- Pseudonym Certificate Authority (PCA)
- Registration Authority (RA)
The validity duration of application certificate is short due to the assumption that RSEs have frequent online connectivity.
AssumptionsIn order to facilitate the certificate request process, a RSE must meet the following prerequisites:
- RSE has a valid enrollment certificate
- RSE has root CA, RA and PCA certificates installed
- RSE knows the FQDN of the RA
The following flow chart documents the general flow of steps an RSE needs to carry out in the given order to obtain application certificates. It is not a 100% accurate description of the process. Please refer to the use case's steps and their requirements for a complete description of the process.
At a high level, two steps are relevant towards a RSE:
Having determined which RA to submit the request to, the RSE creates a request, signs it with the enrollment certificate, encrypts the signed request for the RA and sends it to the LOP/RA. The RA checks to make sure that the certificate request is correct and authorized, then sends back a download location (requestHash) and time (certDLTime). The RA then forwards the certificate request to the PCA. The PCA signs the application certificate, encrypts them for the RSE, signs the encrypted version of the certificate, and returns the encrypted and signed application certificate to the RA. The RA does not remove any of the named signatures or encryptions, adds them to a zip file and stores them for download by the RSE. The RSE starts downloading the zip files at certDLTime.