The EJBCA Web Service (WS) API method cvcRequest is used for enrolling and renewing DVs and ISs.
The following process applies when a CVC request is received through the WS API call:
Look up if there exists a user with the specified username.
If the user exists:
If the user's status is revoked, the request is denied (AuthorizationDeniedException).
See if the user has old certificates.
If there are old certificates and the request is an authenticated request (with outer signature):
If the request uses the same public key as the old certificate the request is denied (AuthorizationDeniedException).
If the old certificate can verify the request but the certificate is not valid we throw a CertificateExpiredException.
If the request can be verified using one of the old valid certificates the request is automatically granted, and the user status is set to new and the password set to the given password.
If the request cannot be verified at all, the request is denied (AuthorizationDeniedException).
If there are no old certificates we try to process the request as a non-authenticated request.
If the user does not exist we try to process the request as a non-authenticated request.
Processing the request as a non-authenticated request means that we try to authenticate using the password given, and that only works if the user status is new.