3.2.1.4.2.1.4 Processing a Request

The CA MUST inspect the format of certificate requests. If the requestor sets the RequestType byte of the dwFlags parameter to a nonzero value, the RequestType specifies the format of the request (see section 3.2.1.4.3.1.1 for more details). The request can be a PKCS #10, CMS, KEYGEN, or CMC structured request. If the RequestType byte of the dwFlags is set to zero, the client relies on CA to determine the request type.

There are two scenarios for requests:

  • New certificate request

  • Request to renew an existing certificate

The following table describes the different request types and request formats that are used when constructing each certificate request, as indicated in the column heading.

Request type

 CMS with PKCS #10

 PKCS #10

 CMS with CMC

 Netscape KeyGen

New request

Yes

Yes

Yes

Yes

Renewal request

Yes

No

Yes

No

"Yes" indicates that this format is supported for this request type. "No" indicates that this format is not supported by this protocol.

If a certificate request is submitted by using a certificate format that is not supported, or if the type of the request does not match the format denoted by the RequestType byte of the dwFlags parameter (see section 3.2.1.4.3.1.1 for more details), the CA MUST return an error code. The error code SHOULD be CRYPT_E_INVALID_MSG_TYPE.

The server MUST apply the rules specified in the following subsections for each one of these request types. To determine the type of the request, the CA MUST perform the following processing rules:

  1. The received request with a "CMS with PKCS #10" format is a renewal request if it meets all of the requirements specified in section 3.2.1.4.2.1.4.2.1. Otherwise, it is a new request.

  2. The received request with a "CMS with CMC" format is a renewal request if it meets all of the requirements specified in section 3.2.1.4.2.1.4.2.2. Otherwise, it is a new request.

  3. In all other cases, the received request is a new request.