3.1.1.4.3.3.2 Enroll on Behalf of Request Using CMS and PKCS #10 Request Formats

The request MUST be an ASN.1 DER encoded CMS request as specified in [RFC3852]. The CMS ASN.1 structure includes the following fields:

  • The client MUST construct a CMS with the following requirements:

    • ContentType: This field MUST be the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).

    • Content: This field MUST be a SignedData with the following values for its fields:

      • encapContentInfo: This field MUST have the following values for its fields:

        • eContentType: This field MUST be the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data).

        • eContent: This field MUST be the PKCS #10 certificate request constructed as specified in the section 3.1.1.4.3.1.1 or section 3.1.1.4.3.4.1.1, or retrieved from the OtherEndEntityRequest data.

      • Certificates: This field MUST include the certificate that is associated with the private key used to sign the certificate request.

      • SignerInfo: The signing MUST be done with the key associated to the certificate that is passed in the preceding Certificates field:

        • AuthenticatedAttributes (in the first SignerInfo): This field MUST include the OID szENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1) attribute. The value of the attribute MUST include the requestername name-value pair. The value of requestername MUST be the requested value for the Subject field in the issued certificate.