2.2.3 SignCert Response

  • Article

A SignCert Response message is returned by the OTPCEP server as a response to a SignCert Request message (section 2.2.2) received from the client.

The message MUST be a Unicode XML 1.0 document that uses the following XML namespace as its default:

http://schemas.microsoft.com/otpcep/1.0/protocol

The document MUST contain a signCertResponse element. The message MUST NOT include additional data before or after the XML document. The XML document MAY contain trailing whitespace as part of the encoded content, as specified in [XML] section 2.1.

 <xs:complexType name="SignCertResponse">
       <xs:sequence>
         <xs:element name="IssuingCA" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded" />
       </xs:sequence>
       <xs:attribute name="statusCode" type="otpcep:SignCertStatusCode" use="required" />
       <xs:attribute name="SignedCertRequest" type="otpcep:CertificateBase64Binary" use="optional" />
     </xs:complexType>

The signCertResponse element contains the following attributes:

IssuingCA (optional):  If the user credentials are valid and the statusCode attribute equals Success, the names of one or more CA servers from which the client enrolls the short-lived smart card certificate are included in the SignCert Response message. Otherwise, this field MUST be empty.

statusCode:  Can be one of the following enumeration values.

Value

Meaning

Success

Certificate enrollment request was signed successfully.

AuthenticationError

User credentials validation failed.

ChallengeResponseRequired

User credentials were challenged.

OtherError

Other error occurred during the validation of the OTP credentials or during signing of the certificate enrollment request.

SignedCertRequest (optional):  If the user credentials are valid and the statusCode attribute equals Success, a signed certificate enrollment request is included in the SignCert Response message. Otherwise, this field MUST be empty.