3.2.1.4.2.1.4.1.4 New Certificate Request Using KEYGEN Request Format

The certificate request MUST be compliant with "Netscape Extensions for User Key Generation Communicator 4.0 Version", otherwise the CA MUST return a non-zero error. For specifications, see [HTMLQ-keygen]. For information on how <KEYGEN> works with a CA, see section 1.3.2.4.

The request MUST contain the following attributes in the pwszAttributes parameter:

• challenge ([HTMLQ-keygen] – see ‘Meter’ element): If the challenge string is supplied in the certificate request, the CA MUST verify that the same string (case-sensitive comparison) is supplied in the pwszAttributes parameter. The syntax for this attribute is specified in section 2.2.2.7. If this is not the case, the CA MUST return a non-zero error.

• CertType: The processing rules for this attribute are specified in section 3.2.1.4.2.1.2.

• rdn ([HTMLQ-keygen] - see ‘Meter’ element): This attribute MUST be added to this parameter. If the attribute is not added, the CA MUST return a non-zero error code. If the attribute is present in this parameter, the CA MUST use the value to construct the Subject field in the issued certificate. Optional values are specified in section 2.2.2.6.4.2.