Pull Management is performed by using the CertificateManager information model – in particular the Methods - defined in 7.6. The interactions between Application and CertificateManager during Pull Management are illustrated in Figure 12.
Figure 12 – The Pull Certificate Management Model
The Application Administration component may be part of the Application or a standalone utility that understands how the Application persists its configuration information in its Configuration Database.
A similar process is used to renew certificates or to periodically update Trust List.
Security in Pull management requires an encrypted channel and the use of Administrator credentials for the CertificateManager that ensure only authorized users can register new Applications and request an initial new Certificate. Once an Application has a Certificate it can use this Certificate to renew the Certificate or to update Trust Lists and Revocation lists. It is important that a CertificateManager does not provide certificate renewals except to the applications that already own the prior certificate.