3.1.1.4.3.1.1 New Certificate Request Using PKCS #10 Request Format

  • Article

The request MUST be an ASN.1 DER-encoded PKCS #10 request as specified in [RFC2986]. The PKCS #10 ASN.1 structure includes the following fields:

  • Attributes: This field SHOULD be used to send additional parameters to the CA.

    Section 2.2.2.7 specifies the required format for each of these attributes. The following OIDs identify the attributes that are supported by the protocol:

    • szOID_OS_VERSION (1.3.6.1.4.1.311.13.2.3): The client SHOULD use this attribute to specify the version information of the client's operating system in the form of a string. <22> The client SHOULD encode the value of this attribute as a IA5String. The format for this attribute is as specified in section 2.2.2.7.

    • szOID_ENROLLMENT_CSP_PROVIDER (1.3.6.1.4.1.311.13.2.2): The client SHOULD use this attribute to specify the CSP that was used to generate a private key. CSP specifications are in section 1.1.

    • szOID_REQUEST_CLIENT_INFO (1.3.6.1.4.1.311.21.20): Clients SHOULD use this value to pass additional client information such as machine name, user name, and application name. For details see section 2.2.2.7.4.

    • szOID_CERT_EXTENSIONS (1.3.6.1.4.1.311.2.1.14): The client SHOULD use this value to pass additional certificate extensions that are to be added to the issued certificate.

    • szOID_ENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1): The client SHOULD use this value to pass additional enrollment information as name-value pair collection. Following are the names that are supported by the protocol and their associated client-processing rules:

      • SAN: The client SHOULD use this value to pass a string that defines the requested value for the SubjectAltName extension in the issued certificate. Specifications on possible values for this attribute are in section 3.2.1.4.2.1.2.

      • CertificateUsage: The client SHOULD use this value to pass one or more OIDs that define the requested ExtendedKeyUsage extension for the issued certificate, as specified in [RFC3280] section 4.2.1.13.

      • ValidityPeriod: The client SHOULD use this value to request the CA to issue the certificate for a specific validity time. For example, if the validity period is three weeks, then the client requests that the issued certificate be valid for three weeks after issuance. If ValidityPeriod is used, the client MUST use it with the ValidityPeriodUnits attribute.

      • ValidityPeriodUnits: The client SHOULD use this value to send the count of "ValidityPeriod" for the requested validity period for the issued certificate. The client MUST use this attribute with the ValidityPeriod attribute.

      • cdc: The client SHOULD use this value to pass an Active Directory server FQDN for the CA to use in case the end entity's information cannot be obtained.

      • rmd: The client SHOULD use this value to identify the exact FQDN of the machine object associated with the request.