1.5 Prerequisites/Preconditions
For Health Certificate Enrollment Protocol communication to begin, the prerequisite configuration for HCEA is as follows:
The HCEA has to be configured with the list of the URLs of the HRAs via an implementation-dependent method.<1>The protocol that is specified by the specific provisioned URL determines if the respective HRA is authenticated by using TLS. (HTTP over TLS is equivalent to HTTPS.) For more information, see section 1.3.
The HCEA has to be configured with the required security parameters to construct a certificate request that is sent in the Health Certificate Enrollment Protocol request. These include, but are not limited to:
The algorithm and key length of the public-private key pair associated with the certificate. The HCEA has to support the Rivest-Shamir-Adleman (RSA) algorithm with a key length of 2,048 bits. Other key lengths can<2> be supported. For more information, see [RFC3447].
The signature algorithm used to sign the certificate request. The HCEA has to support the Secure Hash Algorithm 1 (SHA1), as specified in [RFC3174].
It is preferable for the HCEA and HRA to agree on the algorithm that the Health Certificate Enrollment Protocol uses.<3>
The HCEA and HRA implementations are required to agree on the same object identifier (OID) values for the fields in section 2.2.1.4.<4>
The prerequisite configuration for the HRA is the following:
If the HRA is configured to authenticate the client, the settings required, as specified in [RFC4559] section 4.1, have to be configured on the HRA.
If the HRA is configured to authenticate the client, the handling of the authentication by the HTTP layer as specified in [RFC4559] is a precondition for processing the HCEP request. The failure of the authentication has to be processed by HTTP in accordance with [RFC4559].