Okay, I've worked out some of the logic and which servlets we need to call. * Submit the client request.[[BR]] * if (enrolling-a-new-certificate):[[BR]] submit via HTTP to ''/ca/ee/ca/profileSubmit'':[[BR]] profileId=''profile''[[BR]] cert_request_type=''pkcs10''[[BR]] cert_request=''base64''[[BR]] * if (renewing-an-already-issued-certificate):[[BR]] submit via HTTP to ''/ca/ee/ca/profileSubmit'':[[BR]] renewal=true[[BR]] serial_num=''decimal serial number''[[BR]] profileId=''profile''[[BR]] * Maybe approve the request ourselves.[[BR]] * if (we're-an-agent):[[BR]] read default values via authenticated HTTPS to ''/ca/agent/ca/profileReview''[[BR]] requestId=''decimal''[[BR]] (pick up all ''defId'' and ''defVal'' values with ''defConstraint'' NOT ''readonly''; if ''defSyntax'' is ''choice'' and ''defVal'' is not set, use the first item in the comma-separated ''defConstraint'' list)[[BR]] issue via authenticated HTTPS to ''/ca/agent/ca/profileProcess''[[BR]] requestId=''decimal''[[BR]] op=approve[[BR]] (all ''defId'' and ''defVal'' values as key/value pairs)[[BR]] requestNotes=''free-form text''[[BR]] * Check that the certificate was issued.[[BR]] * HTTP to ''/ca/ee/ca/checkRequest''[[BR]] requestId=''decimal request ID''[[BR]] importCert=true[[BR]] * Retrieve the new certificate.[[BR]] * if (certificate-is-ready):[[BR]] HTTP to ''/ca/ee/ca/displayCertFromRequest''[[BR]] requestId=''decimal request ID''[[BR]]