2.2.5.2.3 Certificate Chain Validity
To be valid, a certificate chain MUST meet all constraints imposed by PNRP, see [MS-PNRP] section 2.2.3.5. It MUST also meet the following constraints:
The root of the chain MUST be a GRC certificate. The Authority part of the Group Peer Name in the GRC MUST match when checked against the public key of the GRC represented as a Unicode string according to the following procedure:
Convert the public key to a null-terminated Unicode string with the same procedure as specified in section 2.2.1.2 for converting a hash output into a null-terminated Unicode string.
The generated string MUST match with the Authority part of the Group Peer Name.
All intermediary and leaf certificates MUST be GMCs.
The PnrpPeerName for all certificates MUST be the same.
For a GMC parent and GMC child, the Roles specified in the child certificate MUST be issuable by one or more Roles specified in the parent certificate. See section 2.2.5.3 below.
For a GRC parent and GMC child, any Role is valid.