1.3 Overview

Many network administrators maintaining a secure network require that clients accessing their networks comply with policies established for the network. For example, an administrator might require that every client accessing the network have an active firewall. One of the ways that administrators can ensure compliance of network endpoints is to require that clients enroll for a health certificate. Health certificates encapsulate client compliance with policy in a way that can be presented to interested parties without requiring those parties to perform the validation themselves.

The Health Certificate Enrollment Protocol is designed to accomplish health certificate enrollment. The client sends a Health Certificate Enrollment Protocol request to a health registration authority (HRA). The Health Certificate Enrollment Protocol request includes a certificate request and a report of the client's current health state. The HRA communicates with health policy servers and certification authorities to form and send a Health Certificate Enrollment Protocol response to the client. If the client is compliant, the response contains an issued certificate and the results of the validation of the client's health state against policy.

The Health Certificate Enrollment Protocol has authenticated and unauthenticated modes. In the authenticated mode, the Health Certificate Enrollment Protocol supports authentication of the server, client, or both. Authentication of the server in the Health Certificate Enrollment Protocol is achieved by using the Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS), as specified in [RFC2818]. During the establishment of the TLS channel, as specified in [RFC2246], the server is authenticated by the client. Authentication of the client in the Health Certificate Enrollment Protocol is achieved by using Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)–based Kerberos and NTLM HTTP authentication, as specified in [RFC4559].

The Health Certificate Enrollment Protocol is typically deployed in an environment such as the one in the following figure. The use of a policy engine as a Remote Authentication Dial-In User Service (RADIUS) proxy is an optional configuration in enterprise environments.

Figure 1: Deployment environment for the Health Certificate Enrollment Protocol

In this example, the flow is as follows:

1. The health certificate enrollment agent (HCEA) sends a Health Certificate Enrollment Protocol request to the HRA. The HRA is identified by the Uniform Resource Locator (URL) with which the HCEA is provisioned. The protocol that is specified by the provisioned URL determines whether the HRA is authenticated by using TLS. (HTTP over TLS is equivalent to Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).)

   The payload of a Health Certificate Enrollment Protocol request message, sent by the HCEA, contains a Public Key Cryptography Standards (PKCS) #10 certificate request (as specified in [RFC2986]). The PKCS #10 request contains a Statement of Health (SoH) message, as specified in [TNC-IF-TNCCSPBSoH] section 3.5.

2. The HRA sends the SoH to a health policy server for evaluation as per network policies either on an internal interface or over any standard or implementation specific protocol. In the example depicted in the preceding figure showing the deployment environment for the Health Certificate Enrollment Protocol, Remote Authentication Dial-In User Service (RADIUS) is used (for more information, see [RFC2865]) using Microsoft RADIUS Attributes for Network Access Protection (for more information, see [MS-RNAP]). The health policy server determines the health state of the client and informs the HRA of this.

3. If the health state of the client is compliant, the HRA requests a certificate authority (CA) to issue a certificate. The Microsoft implementation of the HRA uses the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE], to request and receive the certificate. If the client's health state is not compliant, the HRA can still request a certificate from the certificate authority with the certificate containing an indication that the client is unhealthy.

4. The HRA sends a Health Certificate Enrollment Protocol response.

   If the health state of the client is compliant, the payload of the response contains a statement of health response (SoHR) (as specified in [TNC-IF-TNCCSPBSoH]) and a PKCS #7 message (as specified in [RFC2315]) with an X.509 certificate (for more information, see [X509]), as specified in [RFC3280].

   If the health state of the client is not compliant, the payload of the response contains an SoHR and can contain a PKCS #7 message containing the certificate.

5. The HCEA receives the HCEP response and, if the certificate was included, deposits the certificate in the PersistedComputerCertificates ADM element specified in section 3.1.1.