This operational protocol is used to retrieve CRLs and certificates is described in RFC 4387.

CA certificates and CRLs can be fetched with the attributes iHash, sHash, & sKIDHash. The attributes certHash, uri, iAndSHash, and name are not implemented as they are not relevant for CA certificates and CRLs.

To enable specifying that a delta CRL should be fetched, the extra parameter delta is added to the URL:

http://ejbca.example.com:8080/ejbca/publicweb/crls/search.cgi?sKIDHash=X4NX3VF9u/tzkkGZU6M6OEffhFc&delta=

Adding the delta parameter is not described in RFC 4387. 

This operational protocol can be used for retrieving partitioned CRLs when configured on a CA in EJBCA:

http://ejbca.example.com:8080/ejbca/publicweb/crls/search.cgi?iHash=A0LJKitIFOPr%2BpXooZ7b3EWNyu0&partition=123

When searching for certificates, use iHash, sHash, and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate and retrieves all certificates that have the same issuer, except for the root certificate. To search for root certificates, use sHash.

If you have a subjectKeyId/SKIDHash of a CA certificate you can retrieve the CA certificate using (it is the same sKIDHash as stored in the subjectKeyId column in the CertificateData table in the database):

http://ejbca.example.com:8080/ejbca/publicweb/certificates/search.cgi?sKIDHash=fCFvQu6eT4vpNHs62SAe7deePcc=

For information on implementing your own application accessing the VA, refer to the EJBCA junit test class org.ejbca.ui.web.protocol.CertStoreServletTest.