2.2.2.7 Certificate Request Attributes

A certificate request can contain attributes. The client uses these attributes to pass additional information to the CA, and the CA uses these attributes when issuing the certificate.

There are various locations for these attributes:

  • For certificate requests based on the PKCS #10 message format, the SHOULD be passed in the Attributes field, as specified in [RFC2986].

  • For certificate requests based on the CMS format, the attributes SHOULD be passed in the Attributes field of the inner PKCS #10 certificate request that MUST be passed in the CMS. Details are specified in section 3.1.1.4.3.1.2.

  • For certificate requests based on the CMC format, attributes SHOULD be passed in the Attributes field of the inner PKCS #10 certificate request that MUST be passed in the CMC. Details are specified in section 3.1.1.4.3.1.3. The attributes specified in section 2.2.2.7.10 MAY be passed in the RegInfo field of the CMC request. For formatting rules, see section 2.2.2.6.3.

In addition, the client can pass the attributes specified in section 2.2.2.7.10 in the pwszAttributes parameter for ICertRequestD::Request and ICertRequestD2::Request2 methods. The format for this parameter is specified in section 3.2.1.4.2.1.

Because the Netscape KEYGEN tag request format does not support passing additional attributes, any request call that uses a Netscape KEYGEN tag request format MUST pass any additional attributes in the pwszAttributes parameter for the ICertRequestD::Request and ICertRequestD2::Request2 methods.

For processing rule specifications, see section 3.

Each attribute has an object identifier (OID) that MUST uniquely identify the attribute and a value. The value MUST be an ASN.1 DER-encoded value, as specified in [X690]. The following sections define the various attributes for this protocol and define their formats.