3.2.1.4.2.1.4.1.1 New Certificate Request Using PKCS #10 Request Format

In general, the request MUST be compliant with the information in [RFC2986]. The processing rules listed with the following fields MUST be adhered to by the CA. These are not explicitly specified by [RFC2986]:

  • Subject: The CA MUST use the information supplied in this field to construct the Subject field, as specified in [RFC3280], in the issued certificate.

  • SubjectPublicKeyInfo: This field MUST contain the required information on the public key associated with the certificate request. The CA MUST copy this field to the SubjectPublicKeyInfo field, as specified in [RFC3280], in the issued certificate. The CA MUST validate the requester possession of the key by verifying that the signature on the request was computed by using a private key corresponding to the public key info in this field. See section 4.2 in [RFC2986] for more information on certificate request signatures. If the SubjectPublicKeyInfo field is not present in the request or signature validation fails, the CA MUST return a nonzero error to the client.

  • Attribute: This field MAY be used to send additional parameters to the CA. The CA MUST parse it and use it to construct the issued certificate. The following rules MUST be followed for each one of the supported attributes:

    • OID = szOID_OS_VERSION (1.3.6.1.4.1.311.13.2.3)

      • Description: This attribute MUST define the client's operating system version.

      • CA Semantics: The CA MUST ignore the value of this attribute. The CA MUST NOT assume any specific values or value ranges that it receives in this attribute. If this field contains more than one value the CA MUST return 0x8007000D (ERROR_INVALID_DATA) to the client. If the format is not compliant with the requirement specified in section 2.2.2.7, the CA MUST return a nonzero error to the client.

    • OID = szOID_ENROLLMENT_CSP_PROVIDER (1.3.6.1.4.1.311.13.2.2) attribute

      • Description: This attribute MUST define the CSP used to generate the key pair on the enrollment client.

      • CA Semantics: The CA MUST ignore the value of this attribute. The CA MUST NOT assume any specific values or value ranges that it receives in this attribute. If this field contains more than one value, the CA MUST return 0x8007000D (ERROR_INVALID_DATA) to the client. If the format is not compliant with the requirement specified in section 2.2.2.7, the CA MUST return a nonzero error to the client.

    • OID = szOID_REQUEST_CLIENT_INFO (1.3.6.1.4.1.311.21.20)

      • Description: Provides information on the client. For details, see section 2.2.2.7.4.

      • CA Semantics: CA MUST ignore the value of this attribute. The CA MUST NOT assume any specific values or value ranges that it receives in this attribute.

    • OID = szOID_CERT_EXTENSIONS (1.3.6.1.4.1.311.2.1.14)

      • Description: This OID MUST be used to encode an array of extensions into an attribute so that extensions can be included in a PKCS10. CA Semantics are as follows:

      • The CA SHOULD add the requested extensions as specified in this value to the issued certificate.<76>

    • OID = szOID_ENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1)

      • Description: Additional attributes that MAY be used for the certificate request. The attributes are identical to the attributes that are defined for the pwszAttributes parameter.

      • CA Semantics: The CA behavior for this attribute is identical to the behavior for attributes in the pwszAttributes parameter as specified in section 3.2.1.4.2.1.2.