Page tree
Skip to end of metadata
Go to start of metadata
Target release

Release 1.0

Document owner


Provide a bootstrapped RSE with an application certificate that it can use in relevant applications.

Background and Strategic Fit

The application certificate provisioning is the process by which a bootstrapped RSE receives an application certificate. As there are no location privacy or tracking concerns for RSEs, the RA is not required to shuffle the requests (unlike the case of OBEs).

This use case involves the following SCMS components:

  • Pseudonym Certificate Authority (PCA)
  • Registration Authority (RA)

The validity duration of application certificate is short due to the assumption that RSEs have frequent online connectivity.


In order to facilitate the certificate request process, a RSE must meet the following prerequisites:
  • RSE has a valid enrollment certificate
  • RSE has root CA, RA and PCA certificates installed
  • RSE knows the FQDN of the RA


The following flow chart documents the general flow of steps an RSE needs to carry out in the given order to obtain application certificates. It is not a 100% accurate description of the process. Please refer to the use case's steps and their requirements for a complete description of the process.

Application Certificate Provisioning Process


At a high level, two steps are relevant towards a RSE:

  1. Request RSE Application Certificate
  2. Download RSE Application Certificate

Having determined which RA to submit the request to, the RSE creates a request, signs it with the enrollment certificate, encrypts the signed request for the RA and sends it to the LOP/RA. The RA checks to make sure that the certificate request is correct and authorized, then sends back a download location (requestHash) and time (certDLTime). The RA then forwards the certificate request to the PCA. The PCA signs the application certificate, encrypts them for the RSE, signs the encrypted version of the certificate, and returns the encrypted and signed application certificate to the RA. The RA does not remove any of the named signatures or encryptions, adds them to a zip file and stores them for download by the RSE. The RSE starts downloading the zip files at certDLTime.