IX509CertificateRequestPkcs7 interface (certenroll.h)
The IX509CertificateRequestPkcs7 interface represents a PKCS #7 certificate message syntax (CMS) object. PKCS #7 defines the format of messages sent to a certification or registration authority to request a public-key certificate. The IX509CertificateRequestPkcs7 interface can be confusing because its implementation does not perfectly mirror the way most security professionals think about the PKCS #7 standard. To avoid this confusion, keep the following points in mind:
- Although a PKCS #7 message is used to wrap a CMC request, an IX509CertificateRequestPkcs7 object cannot contain a IX509CertificateRequestCmc object. Instead, the IX509CertificateRequestCmc interface inherits and implements the IX509CertificateRequestPkcs7 interface. As implemented, a CMC request is therefore a PKCS #7 SignedData object that contains CMC content, a primary signature that is either null-signed or key-based, and zero or more certificate-based signatures. By contrast, a PKCS #7 request is a SignedData object that contains PKCS #10 content (see the next item in this list) and has exactly one certificate-based signature.
- An IX509CertificateRequestPkcs7 must contain an IX509CertificateRequestPkcs10 object. The main advantage of wrapping a PKCS #10 request in a PKCS #7 message is the ability to add multiple signers. The PKCS #10 request is signed by the associated private key, and the PKCS #7 message that wraps the PKCS #10 request is also signed. This second signer uses the certificate being renewed (for a renewal request) or the enrollment agent certificate (for an enroll-on-behalf-of request).
- You can create and enroll a stand-alone IX509CertificateRequestPkcs10 certificate request without wrapping it in an IX509CertificateRequestPkcs7 object.
The ASN.1 representation of a PKCS #7 object in the following syntax example shows that it can be composed of a variety of data types.
PKCS7ContentTable PKCS7-CONTENT-TYPE ::=
{
data | signed-data | enveloped-data | signed-and-enveloped-data |
digested-data | encrypted-data | authenticated-data, ...
}
Of these, the SignedData object shown below is most relevant. The SignerInfo object referenced in the SignedData object contains the signature information. For a more complete discussion, see PKCS #7 Attributes.
-------------------------------------------------------------------
-- signed-data
-------------------------------------------------------------------
SignedData ::= SEQUENCE
{
version INTEGER,
digestAlgorithms DigestAlgorithmIdentifiers,
contentInfo ContentInfo,
certificates [0] IMPLICIT Certificates OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos
}
SignerInfo ::= SEQUENCE
{
version INTEGER,
sid CertIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unauthenticatedAttributes [1] IMPLICIT Attributes
}
Inheritance
The IX509CertificateRequestPkcs7 interface inherits from IX509CertificateRequest. IX509CertificateRequestPkcs7 also has these types of members:
Methods
The IX509CertificateRequestPkcs7 interface has these methods.
| IX509CertificateRequestPkcs7::get_RequesterName Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate. (Get) |
| IX509CertificateRequestPkcs7::get_SignerCertificate Specifies or retrieves a certificate used to sign the certificate request. (Get) |
| IX509CertificateRequestPkcs7::InitializeDecode Decodes an existing signed or unsigned PKCS (IX509CertificateRequestPkcs7.InitializeDecode) |
| IX509CertificateRequestPkcs7::InitializeFromCertificate Initializes the certificate request by using an existing certificate. (IX509CertificateRequestPkcs7.InitializeFromCertificate) |
| IX509CertificateRequestPkcs7::InitializeFromInnerRequest Initializes the certificate request from the inner PKCS |
| IX509CertificateRequestPkcs7::InitializeFromTemplateName Initializes the certificate request by using a template. (IX509CertificateRequestPkcs7.InitializeFromTemplateName) |
| IX509CertificateRequestPkcs7::put_RequesterName Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate. (Put) |
| IX509CertificateRequestPkcs7::put_SignerCertificate Specifies or retrieves a certificate used to sign the certificate request. (Put) |
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows Vista [desktop apps only] |
| Minimum supported server | Windows Server 2008 [desktop apps only] |
| Target Platform | Windows |
| Header | certenroll.h |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for