2.2.9.2 Certificate and License Chains
A certificate or license chain shows the issuing and trust hierarchy for a given certificate or license. The following diagram shows the relationships between certificates.
Figure 3: Relationships between certificates
For version 1 clients, the SPC chain starts at the SPC leaf node certificate, followed by the version 1 security processor Certification Authority (CA) certificate, followed by the intermediate security processor CA certificate, and terminates at the CA certificate. For version 1 SP1 and newer clients, the SPC chain starts at the SPC leaf node certificate, followed by the SPC Issuer certificate, followed by the security processor CA certificate, followed by the intermediate security processor CA certificate, and terminates at the CA certificate. Certificates in the SPC chain are acquired during client machine activation and are never generated by the server. For more information on client machine activation, see 3.8.3.1.
The RAC chain starts at the RAC leaf node certificate, followed by the SLC, followed by the Enrollment Service certificate, followed by the Enrollment CA certificate, terminating at the CA certificate. The CLC chain starts at the CLC leaf node certificate, followed by the SLC, followed by the Enrollment Service certificate, followed by the Enrollment CA certificate, and terminating at the CA certificate.
Certificates in dark boxes (RAC and CLC) are issued by the server. Certificates from the SLC and below are acquired during server enrollment. For more information on server enrollment, see 3.6.4.2.1.1.
Certificates in dashed boxes (SLC, version 1 security processor CA certificate, SPC Issuer certificate, security processor CA certificate, intermediate security processor CA certificate, CA certificate, Enrollment Service certificate, and Enrollment CA certificate) are issuing certificates and follow a similar format.
The following diagram shows the relationships between licenses and the certificate in their chains.
Figure 4: Relationships between licenses and certificates
The UL chain starts at the UL leaf node certificate, followed by the SLC, followed by the Enrollment Service certificate, followed by the Enrollment CA certificate, terminating at the CA certificate.
For content published online, the PL chain starts at the PL leaf node certificate and terminates at the SLC. For content published offline, the PL chain starts at the PL leaf node certificate and terminates at the CLC.
The rights policy template is signed by the SLC, but exists as a single-node certificate.
Licenses in dark boxes (UL and online PL) are issued by the server. The offline PL is issued by the client.
Every license and certificate used in an RMS: Client-to-Server Protocol environment consists of a chain of certificates that leads back to a CA certificate. RMS servers provide two chains into which a license or certificate can be nested: a pre-production certificate chain and a production certificate chain. During application development, the pre-production certificate is used to sign custom applications into the pre-production RMS certificate hierarchy. Once an application is ready for production, a production certificate is used to sign the application into the production certificate hierarchy.
RMS: Client-to-Server Protocol version 2.0 has a process called self-enrollment in which a self-enrollment certificate and private key are used to automatically create the SLC.<6>