3.1.4.2.1.1 New and Renewal Request Processing

A wst:RequestSecurityToken message with a wst:RequestType value of "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" is used for the purposes of issuing an X.509v3 certificate or for renewal of an existing X.509v3 certificate.

For this type of message, a server has additional syntax constraints on the request message.

wsse:BinarySecurityToken: If the wsse:BinarySecurityToken element is absent or undefined, the server MUST respond with a SOAP fault.

wstep:RequestID: If the wstep:RequestID element is present and defined, the server SHOULD ignore it.

The server MUST provide the wsse:BinarySecurityToken to the Issuer and SHOULD provide the auth:AdditionalContext (see section 3.1.4.1.3.3) to the Issuer.

If the Issuer responds with an error, the server MUST respond with a SOAP fault. If the Issuer indicates the issuance is pending, the server MUST use the Issuer response to generate a pending wst:RequestSecurityTokenResponseCollectionMsg message. If the Issuer responds with an issued certificate, the server MUST respond with a wst:RequestSecurityTokenResponseCollectionMsg message providing the issued certificate.