This operational protocol is used to retrieve CRLs and certificates is described in RFC 4387.

CA certificates and CRLs can be fetched with the attributes iHash, sHash, & sKIDHash. The attributes certHash, uri, iAndSHash, and name are not implemented as they are not relevant for CA certificates and CRLs.

To enable specifying that a delta CRL should be fetched, the extra parameter delta is added to the URL:

Adding the delta parameter is not described in RFC 4387. 

This operational protocol can be used for retrieving partitioned CRLs when configured on a CA in EJBCA:

When searching for certificates, use iHash, sHash, and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate and retrieves all certificates that have the same issuer, except for the root certificate. To search for root certificates, use sHash.

If you have a subjectKeyId/SKIDHash of a CA certificate you can retrieve the CA certificate using (it is the same sKIDHash as stored in the subjectKeyId column in the CertificateData table in the database):

For information on implementing your own application accessing the VA, refer to the EJBCA junit test class org.ejbca.ui.web.protocol.CertStoreServletTest.