Processing Renewal Request on Behalf of a Different Subject

The CA SHOULD accept renewal requests submitted on behalf of other end entities.<109> The client indicates this type of request by setting 0x00200000 bit of the dwFlags parameter of the Request method.

The following are the rules for processing these types of requests:

  1. The CA MUST validate the format of the certificate request as specified in sections and

  2. If the CA implements the Config_CA_Allow_RenewOnBehalfOf_Requests datum and it is set to false, the CA MUST return a nonzero error.

  3. For a renewal request on behalf of others, the key that signed the request MUST be treated as the authentication of the renewal request, overriding any authentication applied to the message that carries this request. If the CA fails to identify the end entity, it MUST return a nonzero error.

  4. Once the end entity has been identified in step 3, the CA MUST process the request as if that end-entity has made the call to the Request method and follow the all of the method's applicable processing rules as specified in section