3.2.5.4 Creating Health Certificate Request by HRA
Create the Certificate Request using PKCS10 format
The health registration authority (HRA) MUST create a certificate request for use as a parameter for the interface ICertRequestD::Request as specified in [MS-WCCE] section 3.1.1.4.3.1.3 "New Certificate Request Using CMS and CMC Formats". This involves creating a certificate request using PKCS#10 syntax and then encapsulating this request into a CMC certificate request message using CMS syntax. (PKCS#10 syntax is specified by [RFC2986], CMC protocol is specified by [RFC2797], and CMS syntax is specified by [RFC3852]). The certificate request in PKCS #10 syntax is created with the following fields:
If the client is not authenticated, add a subject name field set to "CN=Unauthenticated System Health Authentication".
Add the 1.3.6.1.4.1.311.2.1.14 (szOID_CERT_EXTENSIONS) attribute specified in [MS-WCCE] section 2.2.2.7.7 containing the following:
A Subject Alternative Name extension as specified in [RFC3280] section 4.2.1.7, with UPN and DNS names:
Add a DNS name (input) as Subject Alternative Name, obtained from the client certificate request.
Add a UPN (input) as Subject Alternative Name.
Add a SAN extension.
The HRA MAY add a Certificate Policies extension with these OIDs:<39>
A Certificate Policies extension as specified in [RFC3280] section 4.2.1.5, containing three instances of the PolicyInformation defined as follows:
If the client is compliant, set policyIdentifier to "1.3.6.1.4.1.311.47.1.10" (napPolicyInformationCompliantOid) specified in section 2.2.3.1 and no policyQualifiers. If the client is noncompliant, set policyIdentifier to "1.3.6.1.4.1.311.47.1.11" (napPolicyInformationNotCompliantOid) specified in section 2.2.3.2 and no policyQualifiers.
policyIdentifier set to "1.3.6.1.4.1.311.47.1.12" (napPolicyInformationIsolationStateOid) specified in section 2.2.3.3 and one instance of the PolicyQualifierInfo of type UserNotice, where explicitText is set to one of the following values:
Compliant.
Network connectivity is not being restricted but might be at a later time.
Noncompliant.
policyIdentifier set to "1.3.6.1.4.1.311.47.1.13" (napPolicyInformationExtendedStateOid) specified in section 2.2.3.4 and one instance of the PolicyQualifierInfo of type UserNotice, where explicitText is set to one of the following values:
No additional data.
Transition data.
Infected data.
Unknown data.
A key usage certificate extension as specified in [RFC3280] section 4.2.1.3, with the KeyUsage value set to 0x80 and marked as critical.
A SKI extension as specified in [RFC3280] section 4.2.1.2.
The HRA MAY add an EKU extension as specified in [RFC3280] section 4.2.1.13, with the following usages: 1.3.6.1.4.1.311.47.1.1 (napHealthyOid) specified in section 2.2.3.5 and 1.3.6.1.5.5.7.3.2 (szOID_PKIX_KP_CLIENT_AUTH).<40>
The HRA MAY add Certificate Application Policy according to [MS-WCCE] section 2.2.2.7.7.3.<41>
When the client is compliant, add "1.3.6.1.4.1.311.47.1.1" (napHealthyOid); else add "1.3.6.1.4.1.311.47.1.3" (napUnhealthyOid) specified in section 2.2.3.6.
If the client is authenticated, add client auth application policy "1.3.6.1.5.5.7.3.2" (szOID_PKIX_KP_CLIENT_AUTH).
The HRA MAY add Certificate Template OID Extension as specified in section [MS-WCCE] section 2.2.2.7.7.2.<42>
The HRA MAY add other attributes for implementation-specific use to the request, as specified by PKCS #10 [RFC2986].
Create the CMC request and init from PKCS10
Create a CMC request as specified in [MS-WCCE] section 3.1.1.4.3.1.3 and set TaggedRequest to the PKCS10 request created above.
Add CMC Extensions: Add the addExtensions control attribute specified in [RFC2797] section 5.5 that contains the following certificate extensions:
Add application policy according to [MS-WCCE] section 2.2.2.7.7.3:
When the client is compliant, add "1.3.6.1.4.1.311.47.1.1" (napHealthyOid); else add "1.3.6.1.4.1.311.47.1.3" (napUnhealthyOid).
If the client is authenticated, add the client auth application policy "1.3.6.1.5.5.7.3.2" (szOID_PKIX_KP_CLIENT_AUTH).
Add the Extended Key Usage extension as specified in [RFC3280] section 4.2.1.13:
When the client is compliant, add "1.3.6.1.4.1.311.47.1.1" (napPolicyInformationCompliantOid); else add "1.3.6.1.4.1.311.47.1.3" (napPolicyInformationNotCompliantOid).
If the client is authenticated, add client auth application policy "1.3.6.1.5.5.7.3.2" (szOID_PKIX_KP_CLIENT_AUTH).
If the HRA uses Enterprise CA, the HRA MAY add cert template extensions as specified in [MS-WCCE] section 2.2.2.7.7.1 and set the Name field that was configured by the administrator.<43>
The HRA MAY add a control attribute 1.3.6.1.4.1.311.10.10.1 (szOID_CMC_ADD_ATTRIBUTES). The structure of the szOID_CMC_ADD_ATTRIBUTES type is identical to the Attributes type specified in [RFC2986] section 4.1. The structure SHOULD contain these attributes:<44>