This applies to [MS-WCCE] §3.2.1.4.3.2.16 PropID = 0x00000010 (CR_PROP_CAXCHGCERTCHAIN) "CA Exchange Certificate Chain"
The documentation says that:
Contains CA's certificate stored in the Signing_Cert_Certificate datum and its parent certificates excluding the root certificate
The emphasized statement is not correct. Existing implementation of Microsoft CA indeed returns root certificate in PKCS#7 bag. Either, it is a doc bug, or implementation bug. Here is the PowerShell repro:
PS C:\> $req = New-Object -com certificateauthority.request
PS C:\> $c = $req.GetCAProperty("dc2\contoso-dc2-ca",0xD,-1,3,1)
PS C:\> $certs = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
PS C:\> $certs.Import([convert]::FromBase64String($c))
PS C:\> $certs
Thumbprint Subject
---------- -------
5DF395AFFB9E6FB62F6EC58DF6790150954949AF CN=Contoso CA, DC=contoso, DC=com
47FA4766AC5B9B81DFE91FD3682670FD6AF64BB8 CN=contoso-DC2-CA, DC=contoso, DC=com
PS C:\> $c = $req.GetCAProperty("dc2\contoso-dc2-ca",0x10,-1,3,1)
PS C:\> $certs = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
PS C:\> $certs.Import([convert]::FromBase64String($c))
PS C:\> $certs
Thumbprint Subject
---------- -------
765C34B3AC4E9B2D546685FEEA1655096215DE1F CN=contoso-DC2-CA-Xchg, DC=contoso, DC=com
5DF395AFFB9E6FB62F6EC58DF6790150954949AF CN=Contoso CA, DC=contoso, DC=com
BAECBFAE803F1F2E483839666791791AA461A5D0 CN=contoso-DC2-CA, DC=contoso, DC=com
PS C:\>
The first call requests the chain of the most recent CA certificate (CR_PROP_CASIGCERTCHAIN
). It includes CA certificate itself (CN=contoso-DC2-CA, DC=contoso, DC=com
) and root certificate (CN=Contoso CA, DC=contoso, DC=com
). Then I'm calling CR_PROP_CAXCHGCERTCHAIN
and dump certificates and the dump contains root certificate (CN=Contoso CA, DC=contoso, DC=com
) as well.