3.3.3 Initialization

For secure communication, in the initialization process, the client MUST generate client key pairs and the client SOAP certificate (1) if they do not exist. Specifically, the following initialization steps MUST be performed:

1. If the client key pairs do not exist, two new sets of client key pairs, one for encryption and one for signing, MUST be generated and stored. They MUST be RSA 2048 bits long.

2. If the client certificate (1) does not exist, a new client certificate (1) MUST be generated in X509.v3 format, and DER encoded, with extensions for encryption public key and related information. See section 3.2.3.1.2 for the definitions of the certificate (1) extensions. The subject and issuer Common Name (CN) fields of the certificate (1) are set to the management server hostname.

3. The certificate (1) and management server identity information from the last step MUST be passed to the relay server through an out-of-band means.