3.2.1.4.2.1.4.3.2 Signed Certificate Timestamp List

In addition to the processing rules defined in section 3.2.1.4.2.1.4, the CA MUST perform the following processing on the certificate request, which is formatted as described in section 3.1.1.4.3.5:

  1. If the Config_CertificateTransparency_Enabled flag is not set, reject the request with a nonzero error.

  2. The CA MUST look up the relevant request row in the Request Table by using the RequestId attribute (section 2.2.2.7.10) specified in the pwszAttributes parameter of the ICertRequestD::Request or ICertRequestD2::Request2 method.

  3. The CA MUST verify that the Request_Disposition column in the Request table ([MS-CSRA] section 3.1.1.1.1) is set to "request pending".

  4. The CA MUST verify that the original requester or caller of the request is the caller for this request.

  5. If the size of the data in the pctbRequest parameter of the ICertRequestD::Request call is greater than the size of the Config_CertificateTransparency_Max_SCTList_Size value, reject the request with a nonzero error.

  6. If Config_CertificateTransparency_Disable_SCTList_Validation is set to FALSE, verify that the syntax of the data in the pctbRequest parameter of the ICertRequestD::Request call matches the SignedCertificateTimestampList, as defined in [RFC6962].

  7. If the TBSCertificate has been modified from when the precertificate was initially issued, as described in section 3.2.1.4.2.1.4.3.1, the CA MUST fail the request.

  8. Continue processing the request as described in section 3.2.1.4.2.1.4.1. To construct the issued end entity certificate, the precertificate poison extension MUST be removed from the precertificate and a SignedCertificateTimestampList extension MUST be added per [RFC6962], where the following applies:

    • The extension OID MUST be set to the Config_CertificateTransparency_InformationExtension value.

    • The extension value MUST be set to the data contents of the pctbRequest parameter of the ICertRequestD::Request call.