3.1.1.4.3.6.1 Certificate Request with a Private Key Using CMC Request Format

  • Article

The request MUST be an ASN.1 DER-encoded CMS request (as specified in [RFC3852]) that includes a CMC request (as specified in [RFC2797]). The ASN.1 structure includes the following fields:

  • The client MUST construct a PKCS #10, as specified in sections 2.2.2.6.5 and 3.1.1.4.3.1.1.

  • The client MUST construct an EnvelopedData CMS structure that complies with the following requirements:

    • RecipientInfos: This field MUST reference the CA exchange certificate that contains the public key that is used to encrypt the client private key. The exact format of RecipientInfos is specified in [RFC3852] section 6.1.

    • EncryptedContent: This field MUST be the encrypted private key (from the public/private key pair that is used in the PKCS #10 of the preceding step).

  • The client MUST construct a CMC that complies with the following requirements:

    • TaggedRequest: This field MUST contain exactly one certificate request. The certificate request MUST be the PKCS #10 constructed in the preceding (first) step.

    • TaggedAttributes: This field MUST include the key hash attribute. The OID for this attribute is szOID_ENCRYPTED_KEY_HASH (1.3.6.1.4.1.311.21.21). The value for this attribute MUST be the hash of the ASN.1 DER-encoded value of the EnvelopedData CMS structure that is created in the preceding (second) step. The hash algorithm MUST be the same as the algorithm used to sign the certificate request itself. The hash value MUST be encoded as an octet string. The client MAY pass additional enrollment attributes in the RegInfo attribute as specified in [RFC2797] section 5.12. The format and semantics for the value of this attribute are identical to the values that are defined for the pwszAttributes parameter for ICertRequestD2::Request2. For more information about the supported attributes, see section 3.1.1.4.3.1.1. The client MUST set the Y flag in the dwFlags parameter of ICertRequestD2::Request2.

  • The client MUST construct a CMS that complies with the following requirements:

    • ContentType: This field MUST be the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).

    • Content: This field MUST be a SignedData that uses the following values for its fields:

      • encapContentInfo: This field MUST have the following values for its fields:

        • eContentType: This field MUST be the OID szOID_CT_PKI_DATA (1.3.6.1.5.5.7.12.2, Id-cct-PKIData).

        • eContent: This field MUST be the CMC certificate request that is constructed in the preceding (third) step.

      • SignerInfo: This CMS certificate request MUST be signed with the private key that is associated with the PKCS #10 certificate request that is constructed in the preceding (first) step. The UnauthenticatedAttributes of the SignerInfo field MUST contain the OID szOID_ARCHIVED_KEY_ATTR (1.3.6.1.4.1.311.21.13) attribute. The value of this attribute is the CMS certificate request that is constructed in the preceding (second) step.

Note All the request formats detailed in the following sections MUST be marshaled via DER-encoding rules, as specified in [X690], for transmission.