RFC 4387

This protocol to retrieve CRLs and certificates is described in RFC 4387.

Only CA certificates can be fetched and the attributes certHash, uri, iAndSHash and name are not implemented as they are not relevant CA certificates and CRLs.

To enable specifying that a delta CRL should be fetched, the extra parameter delta is added to the URL:

http://myhost:8080/ejbca/publicweb/crls/search.cgi?sKIDHash=X4NX3VF9u/tzkkGZU6M6OEffhFc&delta=

Note that adding the delta parameter is not described in the RFC.

When searching for certificates, use iHash, sHash, and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate and retrieves all certificates that have the same issuer, except for the root certificate. To search for root certificates, use sHash.

If you have a subjectKeyId/SKIDHash of a CA certificate you can retrieve the CA certificate using (it is the same sKIDHash as stored in the subjectKeyId column in the CertificateData table in the database):

For information on implementing your own application accessing the VA, refer to the EJBCA junit test class org.ejbca.ui.web.protocol.CertStoreServletTest.