Compartilhar via


3.1.4.2.9 ICertAdminD2::GetArchivedKey (Opnum 39)

The GetArchivedKey method is used to retrieve an archived private key and the associated certificate.

 HRESULT GetArchivedKey(
   [in, string, unique] wchar_t const* pwszAuthority,
   [in] DWORD dwRequestId,
   [out, ref] CERTTRANSBLOB* pctbArchivedKey
 );

pwszAuthority: See the pwszAuthority definition in section 3.1.4.1.1.

dwRequestId: An unsigned integer value that specifies the RequestId of the certificate request for which the archived private key and associated certificate are being requested.

pctbArchivedKey: A pointer to a CERTTRANSBLOB structure that MUST contain, on successful response, the archived private key and associated certificate.

ArchivedKey Property Value Processing and Format

The CA server MUST create the ArchivedKey property value by using the following processing rules:

  1. The server MUST read the value from the Request_Raw_Archived_Key column of the Request table where the value of the Request_Request_ID column matches the value of the dwRequestId parameter. If no such record exists or the value of the Request_Raw_Archived_Key column is empty, the CA MUST return a nonzero error to the client.

  2. The server MUST construct a PKCS #7 with the following requirements:

    • ContentInfo: This field MUST have the following values:

      • ContentType: This field MUST be SignedData (1.2.840.113549.1.7.2 PKCS#7 Signed).

      • Content: This field MUST be the value that was read in step 1 from the Request_Raw_Archived_Key column.

    • Certificates: This field MUST include the current CA signing certificate that is used to verify this PKCS#7 message.

    • SignerInfos: The first SignerInfo in the SignerInfos collection MUST use the key that is associated with the current CA signing certificate.

  3. The ASN.1 DER–encoded PKCS#7 signed data that was created in step 2 MUST be the value of the ArchivedKey property in the request table (see section 3.1.1).

The GetArchivedKey method is used to retrieve the archived private key and issued certificate from the CA's database.

The CA server MUST enforce the following processing rules:

  • The CA MUST look up the request based on the provided dwRequestId parameter in the CA database Request table.

  • If the request is not found, the CA MUST fail the request with the error CERTSRV_E_PROPERTY_EMPTY.

  • If the request is found, the CA MUST ensure that the value of the Request.Disposition column in the identified row is "certificate issued".

  • The CA MUST also ensure that the identified request has the ArchivedKey property value. Otherwise, the CA server MUST fail with the error CERTSRV_E_PROPERTY_EMPTY.

  • The pb member of the pctbArchivedBlob parameter MUST reference the value of the ArchivedKey property, and the cb member of the pctbArchivedBlob parameter MUST contain the length, in bytes, of the ArchivedKey property value.