3.1.4.2.1.2 QueryTokenStatus Request Processing

A wst:RequestSecurityToken message with a <wst:RequestType> of "http://schemas.microsoft.com/windows/pki/2009/01/enrollment/QueryTokenStatus" is used to retrieve an issued certificate or check the status of a certificate request that was pending.

For this type of message, the server has additional syntax constraints on the request message.

The wstep:RequestID element is a null-terminated Unicode string that contains a certificate request identifier (as defined in section 3.1.4.1.2.4). If the <wstep:RequestID> element is absent, defined as nil, or contains no value the server MUST return a SOAP fault.

The server MUST provide the wstep:RequestID to the Issuer.

If the Issuer responds with an error, the server MUST respond with a SOAP fault. If the Issuer indicates the issuance is pending, the server MUST use the Issuer response to generate a pending wst:RequestSecurityTokenResponseCollectionMsg message.  If the Issuer responds with an issued certificate, the server MUST respond with a wst:RequestSecurityTokenResponseCollectionMsg message providing the issued certificate.