CA servers MUST NOT allow unencrypted XMPP or HTTP connections.

1. A CA certificate MUST fulfill the requirements outlined in XEP-EAX.
2. Additionally, a CA that manages an XMPP server for certificates issuance using the protocol described herein MUST encode an XMPP address of the XMPP server in its own certificate as an XmppAddr identifier (see Section 13.7.1.4 of &rfc6120;). The node and resource parts of the address MUST be empty (omitted). Although there are several ways to encode domain names in X.509 certificates, an XmppAddr identifier type is chosen to provide an indication that the CA accepts certificate signing requests over XMPP.

The following rules apply to a certificate signing request:

1. It MUST be an ASN.1 CertificateRequest structure which MUST conform to RFC2986.
2. Its subject field SHOULD be empty: a subject of the certificate will be generated by the CA server.
3. It MUST contain extensionRequest attribute requesting a bare XMPP address encoded within subjectAltName as an XmppAddr identifier type (see Section 13.7.1.4 of &rfc6120;). The XMPP address MUST be the one a client wishes to associate the requested certificate with.
4. It MAY contain other extensionRequest attributes requesting other subjectAltNames such as rfc822Name (email address), a "tel" URI (&rfc3966;) and so on. In this case a client MUST be prepared to be additionally challenged by the CA server to prove possession of the corresponding identities. A client also MUST be prepared that those attributes may be either ignored and omitted in the issued certificate or the whole request rejected.
5. It SHOULD NOT contain other extensionRequest attributes.

An X.509 certificate and a chain of X.509 certificates are represented by <x509-cert/> and <x509-cert-chain/> elements respectively, qualified by 'urn:xmpp:x509:0' namespace. These elements can be included into other XMPP elements such as messages, subscription requests and so on.

Character data of the <x509-cert/> element MUST be a PEM encoded ASN.1 Certificate structure (Section 5.1 of RFC7468) with encapsulation boundaries (BEGIN/END) removed. The <x509-cert/> element MUST NOT contain any child elements.

The <x509-cert-chain/> element MUST contain one or many <x509-cert/> elements. Those elements MUST be ordered: each certificate in the chain is signed by the entity identified by the next certificate in the chain. A root certificate MAY be included in the chain (as the last element) and an entity performing certification path validation (&rfc5280;) MUST be prepared for this: treating a trusted root certificate in the chain as invalid (because it is self-signed) is a common implementation mistake. However, for the sake of optimization and to avoid trivial bugs, including of a root certificate in the chain is NOT RECOMMENDED.

An <x509-cert-chain/> element MAY possess 'name' attribute. The attribute contains a human readable text that uniquely represents the chain for a user, e.g. a device this certificate chain is assigned to.

A certificate chain may be obtained and/or stored as a so called "PEM file" (formalized by RFC7468). In this case the content of this file is trivially mapped to the <x509-cert-chain/> element and vice versa. See also Storage Format.

A certificate signing request (RFC2986) is represented as an <x509-csr/> element qualified by 'urn:xmpp:x509:0' namespace. Character data of the element MUST be a PEM encoded ASN.1 CertificateRequest structure (Section 7 of RFC7468) with encapsulation boundaries (BEGIN/END) removed. An <x509-csr/> element MUST NOT contain any child elements. The <x509-csr/> element MUST possess a 'transaction' attribute containing a random value identifying a CSR transaction. An <x509-csr/> element MAY possess a 'name' attribute: it contains a human readable text that is linked to the 'name' attribute of the <x509-cert-chain/> element being issued, e.g. a device the requested certificate chain will be assigned to. This name also MAY be stored by the CA server as a part of a user profile, e.g. to futher include it in the user's certificates listing.

Given arbitrary data and an X.509 certificate with its private key, a signature of the data is created by computing a signature function from signatureAlgorithm structure of the certificate upon the data and the private key. The result is represented as <x509-signature/> element qualified by 'urn:xmpp:x509:0' namespace. Character data of the element MUST be the Base64 (&rfc4648;) encoded signature. The element MUST NOT contain any child elements.

Once the server support is determined, a list of CA certificates MAY be retrieved from the server by sending an IQ request containing an empty <x509-ca-list/> element qualified by 'urn:xmpp:x509:0' namespace:

The server responds with an unordered list of <x509-cert/> elements included in an <x509-ca-list/> element:

Note that the important difference, except semantics, between <x509-cert-chain/> and <x509-ca-list/> elements is ordering of their <x509-cert/> elements.

The <x509-ca-list/> element MUST NOT be empty. Upon receiption of an empty <x509-ca-list/> element, a client SHOULD treat it as a server bug or misconfiguration and SHOULD proceed as if the server didn't support c2s SASL EXTERNAL authentication at all.

Once a remote list of CA certificates is retrieved from the server, a client MAY merge it with its own local list and then choose an appropriate CA certificate from this mix. A client is free to use any merging algorithm. The simpliest way to do this is to take an intersection of the remote and local lists. If the result is an empty list, a client MAY apply more sofisticated algorithms, such as checking if there are intermediate CA certificates in the remote list whose are signed by some CA from the local list. In any case, prior to merging, a client MUST filter out certificates from both lists which don't contain an XmppAddr identifier (see Additional CA Certificate Requirements for the explanation). When merging is completed, a client proceeds as follows:

• If the result is not an empty list, a client picks from this list whatever CA certificate it finds appropriate, extracts an XMPP server address from an XmppAddr identifier of this certificate and sends a certificate signing request to this server as described in Certificate Issuance or X.509 IBR depending on whether the client has an already registered account or not.
• If the result is an empty list, a client SHOULD proceed as if the server didn't support c2s SASL EXTERNAL authentication at all.

Once a CA certificate is selected, a target XMPP server address is extracted from an XmppAddr identifier of this certificate. The generated ASN.1 CertificateRequest structure is then used to form an <x509-csr/> element as specified under section CSR Element. The <x509-csr/> element MUST possess a 'transaction' attribute containing a random value identifying this CSR transaction. It MAY contain a 'name' attribute. The <x509-csr/> element is then included into IQ request for transmission. The 'to' attribute of the IQ stanza MUST be set to the target CA server's address.

Upon receiption of a certificate request the CA server MUST check that the bare XMPP address in 'from' attribute matches the value of XmppAddr of the CertificateRequest structure.

The CA server then decides to either issue a certificate, challenge a client or generate an error. If it has an already issued certificate for this CSR, it MUST respond with the certificate without challenging a client. If it has received another request with the same CSR during a challenge procedure, it MUST abort the running procedure, destroy an internal transaction state and process the request within a new transaction.

The CA server MAY challenge a certificate request. It MAY do so for many reasons, for example, it MAY want to identify a human user in order to prevent massive creation of certificates by a single person. Another possible case is when the CA server detected some errors (e.g. too many issued certificates) and wants the user to perform some actions in order to resolve the problem. To do so the CA server responds with an <x509-challenge/> element. The element MUST possess 'uri' attribute containing an URI. It also MUST possess a 'transaction' attribute with the value copied from a 'transaction' attribute of the original <x509-csr/> element. The <x509-challenge/> element MUST contain exactly one <x509-signature/> element carring a signature computed upon concatenation of the values from 'transaction' and 'uri' attributes using the CA certificate (see Signature Element). The challenge element is then included into message stanza for transmission. The value of 'to' attribute of the message MUST be copied from the value of 'from' attribute of the IQ request.

In this version of the protocol the URI MUST be an HTTPS URL. A client is supposed to open this URL in a web browser for a user to process the challenge. The content of the URL is opaque to a human user and thus SHOULD NOT be rendered in a client's user interface.

In the above example the signature is computed upon '4UGObuJYf7yY8ucndbmHhttps://ca.shakespeare.lit/csr/cOemft/8EQTH8'.

Upon receiption of a challenge a client MUST follow these rules:

1. A client checks that the value of 'from' attribute matches the CA server address.
2. A client checks that the value of 'transaction' attribute matches the identifier of the running transaction.
3. A client verifies the signature using the public key of the CA certificate.

If all the checks have passed, a client spawns an URI handler and waits for the certificate response. Otherwise, a client MAY ignore the message or MAY reply with a corresponding stanza error.

When the CA server successfully issued a certificate it MUST respond with an IQ result containing the full certificate chain represented as an <x509-cert-chain/> containing the issued certificate represented as an <x509-cert/> element. Note that according to the defined ordering, this certificate MUST always be the first element in the chain. The server MUST NOT respond with an empty <x509-cert-chain/> element. If the original <x509-csr/> element has possessed a 'name' attribute, its value MUST be copied to 'name' attribute of <x509-cert-chain/> element.

Upon receiption of a response matching the request a client proceeds as follows:

• It MUST destroy internal IQ and transaction states.
• It MUST check that the response has arrived from the requested CA server.
• It MUST check that the response carries <x509-cert-chain/> element which contains at least one <x509-cert/> element.
• It MUST check that all certificates in the chain are valid according to the rules outlined in XEP-EAX.
• It MUST perform certification path validation (&rfc5280;) to check that the certificate chain is indeed signed by the requested CA.

If all the checks succeed, the transaction is considered to be completed. At this point a client MAY release the ASN.1 CertificateRequest structure.

If either of the checks fails, a client MUST behave as if it received an error response with a permanent condition (see Certificate Request Error section).

If the CA server refuses to issue a certificate it MUST generate a corresponding stanza error. In this case <error/> element MUST possess 'by' attribute with the value of the CA server's address. If the error is generated due to challenge failure, <error/> element MUST contain <x509-challenge-failed/> element qualified by 'urn:xmpp:x509:0' namespace.

When a client receives an error response, it considers the transaction as failed and MUST destroy internal IQ and transaction states.

In the case of a temporary failure, a client MAY repeat the request to the same CA server. In the case of a permanent failure, a client MUST choose another CA server if it has decided to retry. In both cases, the 'name' attribute and character data of <x509-csr/> element of the new request MUST be the same. However, a client MUST generate new values for 'transaction' attribute of <x509-csr/> element and for 'id' attribute of the IQ stanza.

A client MUST NOT process an URI from <gone/> and <redirect/> error conditions and MUST treat these errors as permanent failures.

If a client detects a request timeout, i.e. neither challenge nor response have arrived in the assumed time, it MUST behave as if it received an error response with a temporary condition (see Certificate Request Error section).

Once a client has learnt server support from the stream features, it MUST retrieve a list of CA certificates from the server as specified under section CA List Retrieval. The server MUST allow unregistered clients to retrieve this list if it has reported X.509 IBR support. Then a client merges the server's list with its local list as described in section Merging CA Lists and choose a CA certificate from the mix. A client then follows the procedure described in Certificate Issuance section.

Once a certificate is obtained, it is RECOMMENDED to perform SASL EXTERNAL authentication with the server as soon as possible in order for the server to mark the account as registered (see Registration Mark).

Upon receiption of a certificate request, the server checks that:

1. The IQ stanza possesses 'to' attribute.
2. The ASN.1 CertificateRequest structure inside <x509-csr/> element contains an XMPP address (that the client requests to register, see CSR Requirements).
3. The server is responsible for the domain of the XMPP address.
4. An XMPP address in 'to' attribute is a trusted CA server and the server allows this CA to issue certificates for the users of the domain.
5. There is no already registered or preallocated (see Preallocation) account matching the XMPP address being registered. If the account is preallocated, an ASN.1 CertificateRequest structure from the preallocation MUST match the one from the request.

If either of these checks fails, the server MUST generate a corresponding stanza error. If the error is generated because the account is already registered or preallocated, the error condition MUST be <conflict/>.

If all the checks succeed, the server preallocates an account and routes the request as described below.

For compatibility with other programs, a client SHOULD store an obtained certificate chain in PEM format (RFC7468) written to a file with ".pem" extension. Alternatively, a client MAY store it in other formats, but SHOULD provide a procedure for exporting in PEM format.

When an already registered client detects server support e.g. after software upgrade, it may ask the user to request a certificate and transition to SASL EXTERNAL authentication (although the exact question may not contain these technical details). In order to avoid confusion, a client should check if it has a mutually trusted CA certificate with the server as specified under CA List Retrieval and Merging CA Lists sections before asking for transitioning.

In order to optimize battery consumption some mobile operating systems have very strong limitations for background processes. This may become a problem for a client running a challenge procedure: the procedure is typically interactive and thus the client process may be preempted and killed. A possible workaround is to store the request state in durable storage and, when the challenge is passed and the client process is restarted, consult the storage and repeat the request if needed. Since CA servers are prepared to resend responses for already issued certificates without challenging, a client doesn't need to disturb a human user again in order to receive the certificate.