3.2.2.6.2.1.2.1 Processing Rules for Request on Behalf of a Different Subject

  • Article

A ROBO certificate request MUST use one of the following formats as specified in section 3.2.1.4.2.1.4:

  •  CMS with embedded PKCS #10.

  •  CMS with embedded CMC.

The following are the specific CA processing rules for the certificate request for each one of the preceding formats.

If the CA implements Config_Permissions_Enrollment_Agent_Rights data,<113> the CA MUST verify that the EA that has permissions to request a certificate for the specific end-entity (subject of the certificate being requested) based on the specific template. If the EA does not have the permissions to make a request, the CA MUST return a nonzero error. The error SHOULD be 0x80094009 (CERTSRV_E_RESTRICTEDOFFICER).