Applications that use Pull Management (see 7.2) to initialize their configuration need to know the location of the CertificateManager which they can use to request Certificates and download Trust Lists. This location may be auto-discovered via mDNS by looking for servers with the GDS capability (see Annex D) or by providing a URL via and out of band mechanism such as e-mail or a web page.

Once the location is known the Application can connect to the CertificateManager and establish a secure channel. This will require that the Application trust the Certificate provided by the CertificateManager even if it is not in the Application’s Trust List. If there is an interactive user the Application should warn the user before proceeding. If there is no interactive user the Application should ensure the domain in the URL matches one of the domains in the Certificate.

In some cases, the Application distributor or installer will know the CA used to sign the Certificate used by the CertificateManager and can add this CA to the Application’s Trust List during installation. If practical, this approach provides the best protection against accidental registration with rogue CertificateManagers.

After establishing a secure channel with the CertificateManager, the Application shall provide user credentials which allow it to register new applications and request new Certificates. The credentials may be provided by prompting a user or they may be one time use credentials delivered via some out of band mechanism such as a web site during the installation process.

For embedded systems it can be impractical to enter user credentials. As an alternative, a unique ApplicationInstance Certificate can be provided during manufacture and the Certificate or a unique identifier for the Certificate should be provided to the device installer. The installer would then register the unique identifier or Certificate with the CertificateManager which would allow the device to request a new Certificate by creating a Secure Channel with the manufacturer’s Certificate.

Once an Application has received its first Certificate then the Certificate can be used in lieu of user credentials when the Application needs to renew its Certificate or update its Trust List.