3.1.1.4.3.6 Certificate Requests with Private Key Info
Before submitting a request to the CA for archiving purposes, the client MUST initialize a secure channel to the CA. To create a secure channel to the CA, the client MUST retrieve the current CA key exchange certificate, either through a call to ICertRequestD::GetCACert (while providing the GETCERT_CAXCHGCERT 0x00000001 property identifier (ID) in the fchain parameter) or a call to ICertRequestD2::GetCAProperty (while providing the CR_PROP_CAXCHGCERT 0x0000000F flag in the PropID parameter). Both methods can be used to retrieve the CA key exchange certificate with no preference.
The client MUST locally generate a symmetric key and MUST use it to encrypt the private key associated with the certificate to be enrolled. The client MUST then encrypt the symmetric key by using the public key from the retrieved CA exchange certificate. The encrypted symmetric key MUST then be included in a certificate request, as specified in section 3.1.1.4.3.6.1.
For more information about the key archival and recovery process, see [MSFT-ARCHIVE].
When sending a request with an encrypted private key, clients MUST use the CMS structure with an embedded CMC request format, which MUST be as specified in [RFC3852] and [RFC2797]. The client MUST use ICertRequestD2::Request2 to submit the request and follow the specific requirements specified in the following section.