3.2.1.4.2.1.4.1.3 New Certificate Request Using CMS and CMC Request Format

The request MUST be compliant with the information that is specified in [RFC2797], otherwise the CA MUST return a non-zero error. The processing rules listed with the following fields MUST be adhered to by the CA. These are not explicitly specified by [RFC2797]:

  • contentType: This field ([RFC3852] section 3) MUST be OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData). If it is not, the CA MUST return a non-zero error.

  • content: The content structure MUST be a SignedData structure ([RFC3852] section 5.1). The SignedData structure MUST adhere to the following requirements:

    • encapContentInfo: This field MUST have the following values for its fields:

      • eContentType: This field ([RFC3852] section 5.2) MUST be OID szOID_CT_PKI_DATA (1.3.6.1.5.5.7.12.2, id-cct-PKIData). If not, the CA MUST return a non-zero error.

      • eContent: This field MUST be a PKIData structure, as specified in [RFC2797] section 3.1. The PKIData structure MUST adhere to the following requirements:

        • TaggedRequest: This field MUST contain exactly one certificate request. If the contents of this field is not exactly one PKCS #10 certificate request conforming to rules specified in sections 2.2.2.6.5 and 3.2.1.4.2.1.4.1.1, the CA MUST return 0x8007000D (ERROR_INVALID_DATA) to the client.

        • TaggedAttribute: This field MAY contain additional enrollment attributes. If the field contains the RegInfo attribute (as specified in [RFC2797] section 5.12), processing rules for its value are identical to the ones for the pwszAttributes parameter (as specified in section 3.2.1.4.2.1.2).

      • signerInfos: The request MUST be signed. If the request is not signed, the CA MUST return 0x8009200E (CRYPT_E_NO_SIGNER) to the client.