3.1.2.4.2.1 Choosing Certificate Request Types

This section describes what type of certificate request is used in different situations.

  • If the IsRenewalRequest datum is set to false:

    • If the Certificate.Template.msPKI-Template-Schema-Version datum equals to 1, the client SHOULD create a new certificate request as specified in section 3.1.1.4.3.1.1.

    • If the Certificate.Template.msPKI-Template-Schema-Version datum is equal to 2, 3, or 4, the client SHOULD<36> create a certificate request as follows:

      1. If the CT_FLAG_ATTEST_REQUIRED or CT_FLAG_ATTEST_PREFERRED flag under the Certificate.Template.msPKI-Private-Key-Flag datum is set, the client SHOULD create a new certificate request as specified in section 3.1.1.4.3.4.1.1 <37>; otherwise, if the CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL flag under the Certificate.Template.msPKI-Private-Key-Flag datum is set, clients MUST create the key archival certificate request as specified in section 3.1.1.4.3.5.1. Otherwise, create a new certificate request as specified in section 3.1.1.4.3.1.3.

      2. If the RACertificates list is not empty, sign the request created in the previous step with each key from the RACertificates list and include each certificate associated with those keys in the certificates field of the CMS message.

    • If the Certificate.Template.msPKI-Template-Schema-Version datum equals to some other value or has not been set at all, the client SHOULD NOT<38> submit a certificate request.

  • If the IsRenewalRequest datum is set to true:

    • If the Certificate.Template.msPKI-Template-Schema-Version datum equals to 1, the client SHOULD create a new certificate request as specified in section 3.1.1.4.3.2.1.

    • If the Certificate.Template.msPKI-Template-Schema-Version datum is equal to 2, 3, or 4, the client SHOULD<39> create a certificate request as follows:

      1. The client MUST create a renewal certificate request as specified in section 3.1.1.4.3.2.2.

      2. The client MUST sign the certificate request with a key from the CertificateToBeRenewed datum and include the associated certificate in the certificates field of the CMS message.

      3. If the RACertificates list is not empty, the request cannot be processed as a renewal request. Instead, the client MUST create a new certificate request as if the IsRenewalRequest datum were set to false.

    • If the Certificate.Template.msPKI-Template-Schema-Version datum equals to some other value or has not been set at all, the client SHOULD NOT<40> submit a certificate request.