3.2.4.1.7 GetSigningCertificates (Opnum 9)

  • Article

The GetSigningCertficates method retrieves a list of certificates available at the responder machine that can be used to sign responses to OCSP requests regarding certificates issued by the CA certificate specified.

 HRESULT GetSigningCertificates(
   [in, ref] const VARIANT* pCAVar,
   [out, ref] VARIANT* pSigningCertificates
 );

pCAVar: A pointer to a VARIANT data type containing the CA certificate. The vt member of VARIANT SHOULD be set to VT_ARRAY | VT_UI1, and the pArray member SHOULD reference a safearray that contains the ASN.1 DER encoded X.509 certificate data type containing the CA certificate.

pSigningCertificates: A pointer to VARIANT data type containing the list of certificates. On successful return, the server SHOULD set the vt member of the VARIANT to VT_ARRAY|VT_UI1, and the pArray member SHOULD reference a safearray that contains the ASN.1 DER encoded degenerate PKCS#7 [RFC2315] containing the certificates.

The following processing rules apply:

  1. If pCAVar or pSigningCertificates is NULL, the responder MUST fail the request. The error code SHOULD be 0x800706f4.

  2. The VARIANT referenced by pCAVar SHOULD have vt member set to VT_ARRAY | VT_UI1; otherwise, the server MUST fail the request. The error code SHOULD be 0x80070057.

  3. The pArray member of the VARIANT referenced by pCAVar SHOULD reference a safearray that contains the ASN.1 DER encoded X509 certificate; otherwise, the server MUST fail the request. The error code SHOULD be 0x80070057.

  4. Each certificate returned in the PKCS#7 contained in pSigningCertificate SHOULD meet the following criteria:

    • The certificate MUST include the extension id-kp-OCSPSigning in an extendedKeyUsage defined in [RFC2560] section 4.2.2.2.

    • The certificate MUST be signed by the CA certificate passed in pCAVar to this method.

    • The responder MUST have access to the private key corresponding to the public key in the certificate.

  5. If there are no OCSP signing certificates that match the criteria specified in processing rule (4), the server SHOULD return an empty list of signing certificates as an ASN.1 DER encoded degenerate PKCS#7 [RFC2315] containing no certificates.