3.2.1.4.3.2.33 PropID = 0x00000021 (CR_PROP_CAXCHGCERTCRLCHAIN) "CA Exchange Certificate Chain and CRL"

The client has requested the CA exchange certificate, its complete chain, and all relevant CRLs. The CA MUST follow these processing rules to process a client's request:

  1. If the PropIndex parameter is not equal to 0x0 or 0xFFFFFFFF, return the E_INVALIDARG (0x80070057) error to the client.

  2. Validate that the Current_CA_Exchange_Cert datum contains a current, valid CA exchange certificate by executing steps 2 and 3 in section 3.2.1.4.3.2.15.

  3. Construct a signed CMS message with the following fields:

    • ContentType: szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).

    • Content: SignedData (as specified in [RFC3852] section 5.1) with the following requirements:

      • version: See [RFC3852] section 5.1.

      • digestAlgorithms: Same digest algorithm as was used to sign current CA's certificate stored in Signing_Cert_Certificate datum.

      • encapContentInfo: EncapsulatedContentInfo structure (as specified in [RFC3852] section 5.2) with the eContentType set to the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1) and the eContent field set to the CA's exchange certificate from the Current_CA_Exchange_Cert datum.

      • certificates: Contains the CA's certificate stored in the Signing_Cert_Certificate datum and its parent certificates excluding the root certificate. To obtain parent certificates, the CA SHOULD use Authority Information Access (AIA) extension of its certificate and its parent certificates. The AIA extension is specified in [RFC3280] section 4.2.2.1.

      • crls: Contains all current CRLs and delta CRLs for the CAs whose certificates were added to the certificates field. For each certificate in the certificates field, the CA SHOULD retrieve the CRL using the processing rules in section 3.2.1.4.1.3 by setting the ParameterCertificate to be equal to the current certificate.

      • signerInfos: Not used.

  4. Return the CMS message through a CERTTRANSBLOB structure (as specified in section 2.2.2.2). Marshaling rules for CERTTRANSBLOB are specified in section 2.2.2.2.4.