Certificate Store Access via HTTP

RFC 4387

This protocol to retrieve CRLs and certificates is described in RFC 4387.

Only CA certificates can be fetched and the attributes certHash, uri, iAndSHash and name are not implemented as they are not relevant CA certificates and CRLs.

To enable specifying that a delta CRL should be fetched, the extra parameter delta is added to the URL:


Note that adding the delta parameter is not described in the RFC.

When searching for certificates, use iHash, sHash, and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate and retrieves all certificates that have the same issuer, except for the root certificate. To search for root certificates, use sHash.

For information on implementing your own application accessing the VA, refer to the EJBCA junit test class org.ejbca.ui.web.protocol.CertStoreServletTest.