3.1.1.4.3.3.2 Enroll on Behalf of Request Using CMS and PKCS #10 Request Formats
The request MUST be an ASN.1 DER encoded CMS request as specified in [RFC3852]. The CMS ASN.1 structure includes the following fields:
The client MUST construct a CMS with the following requirements:
ContentType: This field MUST be the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).
Content: This field MUST be a SignedData with the following values for its fields:
encapContentInfo: This field MUST have the following values for its fields:
eContentType: This field MUST be the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data).
eContent: This field MUST be the PKCS #10 certificate request constructed as specified in the section 3.1.1.4.3.1.1 or section 3.1.1.4.3.4.1.1, or retrieved from the OtherEndEntityRequest data.
Certificates: This field MUST include the certificate that is associated with the private key used to sign the certificate request.
SignerInfo: The signing MUST be done with the key associated to the certificate that is passed in the preceding Certificates field:
AuthenticatedAttributes (in the first SignerInfo): This field MUST include the OID szENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1) attribute. The value of the attribute MUST include the requestername name-value pair. The value of requestername MUST be the requested value for the Subject field in the issued certificate.