3.2.1.4.2.1.4.2.1 Renewing a Certificate Request Using CMS and PKCS #10 Request Formats

The request MUST be compliant with the information that is specified in [RFC3852], otherwise the CA MUST return a nonzero error. The processing rules for the following fields MUST be adhered to the CA but are not specified by [RFC3852].

  • ContentType: This field ([RFC3852] section 3) MUST be OID szOID_PKCS_7_SIGNED (1.2.840.113549.1.7.2, id-signedData). If not, the CA MUST return a nonzero error.

  • Content: MUST have a SignedData structure ([RFC3852] section 5.1). If not, the CA MUST return a nonzero error.

    • encapContentInfo: In the SignedData field. This field MUST have the following values for its fields:

      • eContentType: This field MUST be OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data). If not, the CA MUST return a nonzero error.

      • eContent: This field MUST be the PKCS #10 certificate request. Processing rules are identical to the ones specified in section 3.2.1.4.2.1.4.1.1. In addition, the Attributes field MUST include the szOID_RENEWAL_CERTIFICATE (1.3.6.1.4.1.311.13.1) attribute. If this attribute is not included, the CA assumes that this is a new certificate request and follows the processing rules in section 3.2.1.4.2.1.4.1.1.The value for this attribute MUST be the already issued certificate DER encoded. If the issued certificate is not included in the value of this attribute, the CA MUST return 0x8009400E (CERTSRV_E_BAD_RENEWAL_CERT_ATTRIBUTE) to the client.

    • Certificates: This field MUST include the already-issued certificate that is associated with the private key used to sign the request (the same certificate as the one in the PKCS #10 Attributes that MUST be included in the PKCS #10 attribute specified in the preceding requirement). If this field does not contain the already-issued certificate, the CA MUST return 0x8009400E (CERTSRV_E_BAD_RENEWAL_CERT_ATTRIBUTE) to the client.

    • SignerInfo: The signing MUST use the key associated with the already-issued certificate that is passed in the Certificates field, otherwise the CA MUST return a nonzero error to the client.