RSA BSAFE Cert-C API Reference

Cert-C SCEP Database Service Provider

The Cert-C SCEP Database service provider supports the retrieval of CA and RA certificates, and certain certificate chains leading to them, from network devices such as routers. RSA Security developed this service provider using the interfaces specified in the Cisco System's Simple Certificate Enrollment Protocol specification (SCEP). This service provider is suitable for network devices that may need to retrieve trusted-root certificates used with an SCEP PKI service provider when an LDAP server is not available. Once retrieved, these certificates are usually retained in some type of local storage until the device is either reinitialized or redeployed. Before a client can begin certificate enrollment, a CA or RA root certificate must be established by the client. Once this is done, it is possible for the client to verify the signatures of the certificates issued by the given root. The Cert-C SCEP Database service provider does not support any SCEP functionality other than CA and RA certificate retrieval. However, see the Cert-C SCEP PKI service provider for other supported SCEP certificate management functionality.

When a CA certificate is retrieved, use an out-of-band method to authenticate it. Do this by comparing the root certificate's fingerprint with information provided by the CA or RA administrator. The resulting certificate(s) can be added to a list of trusted certificates that the client can use to perform subsequent certificate-path validations in the client application.

The Cert-C SCEP Database service provider supports only one API, C_SelectCertByAttributes. Depending upon how this interface is used, the client application generates either a GetCACert or GetCACertChain SCEP request to fetch the CA certificate, the RA certificate, or potentially the certificate chain leading to either certificate. The client's SCEP request (turned into an HTTP GET request) is directed at the CA server. CGI parameters and arguments are constructed using input data provided by the client.

The data structures used with this service provider are DB_FUNCS, DB_SCEP_INIT_PARAMS, and DB_SCEP_INIT_STRUCT. This service provider only implements DB_FUNCS's Finalize and SelectCertByAttributes functions.

To initialize or register the Cert-C SCEP Database service provider, call either the C_InitializeCertC or the C_RegisterService function. Both functions take SERVICE_HANDLER and a POINTER to a parameters structure. The SERVICE_HANDLER's Initialize parameter points to the S_InitializeSCEPDB function. The corresponding POINTER should point to a DB_SCEP_INIT_PARAMS structure. S_InitializeSCEPDB initializes the Cert-C SCEP Database service provider's implementation of the database functions. It stores pointers to them in SERVICE_FUNCS's db member, which is a DB_FUNCS structure. Never call S_InitializeSCEPDB directly.

To use the Cert-C SCEP Database service provider in an application, be sure to link in the certcsp library and include the scepdb.h header file.