SCEP CertRep SUCCESS: how many certs are in the response?

Question

I am working on an SCEP implementation (both requester and authority). The project uses JScep as a library.

During the communication for a PKCSReq the client receives a CertRep SUCCESS. The draft says the following:

+----------------+--------------------------------------------------+ | Request-type | Reply-contents | +----------------+--------------------------------------------------+ | PKCSReq | the reply MUST contain at least the issued | | | certificate in the certificates field of the | | | Signed-Data. The reply MAY contain additional | | | certificates, but the issued certificate MUST be | | | the first in the list. The reply MUST NOT | | | contain a CRL. All returned certificates MUST | | | conform to [RFC5280]. |

I am a bit confused to interpret MAY contain additional certificates.

Does this mean that the whole cert chain will be presented in the response as a Collection (JScep)?

Answer 1

The whole certificate chain may be presented, but not necessarily. Generally I would expect SCEP servers to provide everything you need to establish a chain of trust.

If you call enrol and the resulting EnrollmentResponse is successful (isSuccess()), you can then call getCertStore to access a java.security.cert.CertStore. That CertStore will contain all the certificates sent by the server.

You can use the CertStoreInspector from jscep to directly extract relevant certificates like so:

CertStoreInspector inspector = DefaultCertStoreInspectorFactory.getInstance(certStore);
X509Certificate ca = inspector.getIssuer();
X509Certificate signer_ra = inspector.getSigner();
X509Certificate recipient_ra = inspector.getSigner();

See https://github.com/jscep/jscep/issues/48