3.2.2.6.2.1.2.1.2 Request on Behalf of Using CMS and CMC Request Format

The request MUST be compliant with the information that is specified in [RFC2797]. The processing rules for the following fields MUST be adhered to by the CA but are not specified by [RFC2797]:

  • contentType: This field MUST be set to the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData). If it is not, the CA MUST return a non-zero error.

  • content: This field is a SignedData structure. If it is not, the CA MUST return a non-zero error.

    • encapContentInfo: This field MUST have the following values for its fields:

      • eContentType: This field MUST be set to the OID szOID_CT_PKI_DATA (1.3.6.1.5.5.7.12.2, Id-cct-PKIData). If it is not, the CA MUST return a non-zero error.

      • eContent: This field MUST be a PKIData structure, as specified in [RFC2797] section 3.1. The PKIData structure MUST adhere to the following requirements:

        • TaggedRequest: This field MUST contain exactly one certificate request. The certificate request MUST be PKCS #10 conforming to rules specified in sections 2.2.2.6.5 and 3.2.1.4.2.1.4.1.1. If it is not, the CA MUST return a non-zero error.

        • TaggedAttribute: This field MUST include the RegInfo attribute (as specified in [RFC2797] section 5.12). The RegInfo value MUST include the OID szENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1) attribute. The value of the attribute MUST include the requestername name-value pair. The value of the requestername name-value pair MUST be used to construct the Subject field in the issued certificate.

    • certificates: This field MUST include all the certificates that are associated with the private keys used to sign the certificate request. The certificates MUST have the certificate request agent EKU (1.3.6.1.4.1.311.20.2.1).

    • signerInfos: The signing MUST be done with the key (or keys) associated with the already issued certificate (or certificates) that are passed in the certificates field.