2.2.9.3 Issuing Certificates

This section defines the format of issuing certificates. The SLC, version 1 security processor CA certificate, SPC issuer certificate, security processor CA certificate, intermediate security processor CA certificate, CA certificate, Enrollment Service certificate, and Enrollment CA certificate, are all Issuing certificates.

Issuing certificates MUST use the following template.

 <XrML xmlns="" version="1.2">
    <BODY type="LICENSE" version="3.0">
       [[- issuedtime -]]
       [[- validitytime -]]
       [[- descriptor -]]
       [[- issuer -]]
       [[- issuedprincipals -]]
       <WORK>
          [[- workobject -]]
          <RIGHTSGROUP name="Main-Rights">
             <RIGHTSLIST>
                <RIGHT name="ISSUE">
                   <CONDITIONLIST>
                      <TIME>
                         [[- rangetime -]]
                      </TIME>
                      <ACCESS>
                         <PRINCIPAL internal-id="1" /> 
                      </ACCESS>
                   </CONDITIONLIST>
                </RIGHT>
             </RIGHTSLIST>
          </RIGHTSGROUP>
       </WORK>
       [[- conditionlist -]]
    </BODY>
    [[- signature -]]
 </XrML>
  

[[- issuedtime -]]: MUST be an ISSUEDTIME (section 2.2.9.1.1) element containing the time the certificate was generated, in UTC. The time MUST fall within the RANGETIME of the issuer's certificate.

[[- validitytime -]]: SHOULD be a VALIDITYTIME (section 2.2.9.1.2) element describing the period of validity for the certificate, in UTC. This element SHOULD be present but is optional.

[[- descriptor -]]: MUST be a DESCRIPTOR (section 2.2.9.3.1) element describing the certificate.

[[- issuer -]]: MUST be an ISSUER (section 2.2.9.3.2) element describing the issuer of the certificate.

[[- issuedprincipals -]]: MUST be an ISSUEDPRINCIPALS (section 2.2.9.3.3) element describing the principal and its public key.

[[- workobject -]]: MUST be an OBJECT element that identifies the certificate. Copied verbatim from the OBJECT in the DESCRIPTOR (section 2.2.9.3.1) including the same GUID. This OBJECT is described in the DESCRIPTOR (section 2.2.9.3.1) section.

[[- rangetime -]]: MUST be a RANGETIME (section 2.2.9.1.3) element describing the period during which the certificate can be used for issuance.

[[- conditionlist -]]: SHOULD be present in the SLC if alternate revocation information is included. MUST NOT be present in other issuing certificates. If present, this MUST be a CONDITIONLIST (section 2.2.9.3.4) element that specifies alternate revocation information.

[[- signature -]]: MUST be a SIGNATURE (section 2.2.9.1.12) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.