Certificate Store Access via HTTP

This operational protocol is used to retrieve CRLs and certificates is described in RFC 4387.

CA certificates and CRLs can be fetched with the attributes iHash, sHash, & sKIDHash. The attributes certHash, uri, iAndSHash, and name are not implemented as they are not relevant for CA certificates and CRLs.

To enable specifying that a delta CRL should be fetched, the extra parameter delta is added to the URL:

http://ejbca.example.com:8080/ejbca/publicweb/crls/search.cgi?sKIDHash=X4NX3VF9u/tzkkGZU6M6OEffhFc&delta=

Adding the delta parameter is not described in RFC 4387.

This operational protocol can be used for retrieving partitioned CRLs when configured on a CA in EJBCA:

http://ejbca.example.com:8080/ejbca/publicweb/crls/search.cgi?iHash=A0LJKitIFOPr%2BpXooZ7b3EWNyu0&partition=123

When searching for certificates, use iHash, sHash, and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate and retrieves all certificates that have the same issuer, except for the root certificate. To search for root certificates, use sHash.

If you have a subjectKeyId/SKIDHash of a CA certificate you can retrieve the CA certificate using (it is the same sKIDHash as stored in the subjectKeyId column in the CertificateData table in the database):

http://ejbca.example.com:8080/ejbca/publicweb/certificates/search.cgi?sKIDHash=fCFvQu6eT4vpNHs62SAe7deePcc=

For information on implementing your own application accessing the VA, refer to the EJBCA junit test class org.ejbca.ui.web.protocol.CertStoreServletTest.