Web Service API

In the regular EJBCA WS-API there is a method for enrolling and renewing DVs and ISs: cvcRequest

The process when a CVC request is received through the WS-API call is:

  1. Look up if there exists a user with the specified username.

  2. If the user exists:

    1. If the user's status is revoked, the request is denied (AuthorizationDeniedException).

    2. See if the user have old certificates.

    • If there are old certificates and the request is an authenticated request (with outer signature):

      • If the request uses the same public key as the old certificate the request is denied (AuthorizationDeniedException).

      • If the old certificate can verify the request but the certificate is not valid we throw a CertificateExpiredException (in EJBCA 3.7.4 and earlier we tried to process the request as a non-authenticated request instead).

      • If the request can be verified using one of the old valid certificates the request is automatically granted and users status is set to new and the password set to the given password.

      • If the request can not be verified at all the request is denied (AuthorizationDeniedException).

    • If there are no old certificates we try to process the request as a non-authenticated request.

  3. If the user does not exist we try to process the request as a non-authenticated request.

  4. Processing the request as a non-authenticated request means that we try to authenticate using the password given, and that only works if the users status is NEW.

There are two more useful Web Service APIs that can be used from for example a SPoC in order to renew DVs: caRenewCertRequest and caCertResponse