IX509CertificateRequestPkcs7 interface (certenroll.h)

The IX509CertificateRequestPkcs7 interface represents a PKCS #7 certificate message syntax (CMS) object. PKCS #7 defines the format of messages sent to a certification or registration authority to request a public-key certificate. The IX509CertificateRequestPkcs7 interface can be confusing because its implementation does not perfectly mirror the way most security professionals think about the PKCS #7 standard. To avoid this confusion, keep the following points in mind:

  • Although a PKCS #7 message is used to wrap a CMC request, an IX509CertificateRequestPkcs7 object cannot contain a IX509CertificateRequestCmc object. Instead, the IX509CertificateRequestCmc interface inherits and implements the IX509CertificateRequestPkcs7 interface. As implemented, a CMC request is therefore a PKCS #7 SignedData object that contains CMC content, a primary signature that is either null-signed or key-based, and zero or more certificate-based signatures. By contrast, a PKCS #7 request is a SignedData object that contains PKCS #10 content (see the next item in this list) and has exactly one certificate-based signature.
  • An IX509CertificateRequestPkcs7 must contain an IX509CertificateRequestPkcs10 object. The main advantage of wrapping a PKCS #10 request in a PKCS #7 message is the ability to add multiple signers. The PKCS #10 request is signed by the associated private key, and the PKCS #7 message that wraps the PKCS #10 request is also signed. This second signer uses the certificate being renewed (for a renewal request) or the enrollment agent certificate (for an enroll-on-behalf-of request).
  • You can create and enroll a stand-alone IX509CertificateRequestPkcs10 certificate request without wrapping it in an IX509CertificateRequestPkcs7 object.

The ASN.1 representation of a PKCS #7 object in the following syntax example shows that it can be composed of a variety of data types.


PKCS7ContentTable PKCS7-CONTENT-TYPE ::=
{
    data | signed-data | enveloped-data | signed-and-enveloped-data |
    digested-data | encrypted-data | authenticated-data, ...
}

Of these, the SignedData object shown below is most relevant. The SignerInfo object referenced in the SignedData object contains the signature information. For a more complete discussion, see PKCS #7 Attributes.


-------------------------------------------------------------------
-- signed-data
-------------------------------------------------------------------

SignedData ::= SEQUENCE 
{
  version           INTEGER,
  digestAlgorithms  DigestAlgorithmIdentifiers,
  contentInfo       ContentInfo,
  certificates      [0] IMPLICIT Certificates OPTIONAL,
  crls              [1] IMPLICIT CertificateRevocationLists OPTIONAL,
  signerInfos       SignerInfos
}

SignerInfo ::= SEQUENCE 
{
  version                     INTEGER,
  sid                         CertIdentifier,
  digestAlgorithm             DigestAlgorithmIdentifier,
  authenticatedAttributes     [0] IMPLICIT Attributes OPTIONAL,
  signatureAlgorithm          SignatureAlgorithmIdentifier,
  signature                   SignatureValue,
  unauthenticatedAttributes   [1] IMPLICIT Attributes
}
 

Inheritance

The IX509CertificateRequestPkcs7 interface inherits from IX509CertificateRequest. IX509CertificateRequestPkcs7 also has these types of members:

Methods

The IX509CertificateRequestPkcs7 interface has these methods.

 
IX509CertificateRequestPkcs7::get_RequesterName

Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate. (Get)
IX509CertificateRequestPkcs7::get_SignerCertificate

Specifies or retrieves a certificate used to sign the certificate request. (Get)
IX509CertificateRequestPkcs7::InitializeDecode

Decodes an existing signed or unsigned PKCS (IX509CertificateRequestPkcs7.InitializeDecode)
IX509CertificateRequestPkcs7::InitializeFromCertificate

Initializes the certificate request by using an existing certificate. (IX509CertificateRequestPkcs7.InitializeFromCertificate)
IX509CertificateRequestPkcs7::InitializeFromInnerRequest

Initializes the certificate request from the inner PKCS
IX509CertificateRequestPkcs7::InitializeFromTemplateName

Initializes the certificate request by using a template. (IX509CertificateRequestPkcs7.InitializeFromTemplateName)
IX509CertificateRequestPkcs7::put_RequesterName

Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate. (Put)
IX509CertificateRequestPkcs7::put_SignerCertificate

Specifies or retrieves a certificate used to sign the certificate request. (Put)

Requirements

   
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

CertEnroll Interfaces

IX509CertificateRequest