This operational protocol is used to retrieve CRLs and certificates is described in RFC 4387.
CA certificates and CRLs can be fetched with the attributes iHash, sHash, & sKIDHash. The attributes certHash, uri, iAndSHash, and name are not implemented as they are not relevant for CA certificates and CRLs.
To enable specifying that a delta CRL should be fetched, the extra parameter delta is added to the URL:
Adding the delta parameter is not described in RFC 4387.
This operational protocol can be used for retrieving partitioned CRLs when configured on a CA in EJBCA:
When searching for certificates, use iHash, sHash, and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate and retrieves all certificates that have the same issuer, except for the root certificate. To search for root certificates, use sHash.
If you have a subjectKeyId/SKIDHash of a CA certificate you can retrieve the CA certificate using (it is the same sKIDHash as stored in the subjectKeyId column in the CertificateData table in the database):
For information on implementing your own application accessing the VA, refer to the EJBCA junit test class org.ejbca.ui.web.protocol.CertStoreServletTest.