2.2.5.2.3 Certificate Chain Validity

To be valid, a certificate chain MUST meet all constraints imposed by PNRP, see [MS-PNRP] section 2.2.3.5. It MUST also meet the following constraints:

  • The root of the chain MUST be a GRC certificate. The Authority part of the Group Peer Name in the GRC MUST match when checked against the public key of the GRC represented as a Unicode string according to the following procedure:

    1. Convert the public key to a null-terminated Unicode string with the same procedure as specified in section 2.2.1.2 for converting a hash output into a null-terminated Unicode string.

    2. The generated string MUST match with the Authority part of the Group Peer Name.

  • All intermediary and leaf certificates MUST be GMCs.

  • The PnrpPeerName for all certificates MUST be the same.

  • For a GMC parent and GMC child, the Roles specified in the child certificate MUST be issuable by one or more Roles specified in the parent certificate. See section 2.2.5.3 below.

  • For a GRC parent and GMC child, any Role is valid.