3.2.2.6.2.1.2.1.1 Request on Behalf of Using CMS and PKCS #10 Request Formats

The request MUST be compliant with the information that is specified in [RFC3852]. The processing rules for the following fields MUST be adhered to by the CA but are not specified by [RFC3852]:

  • contentType: This field MUST be set to the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData). If it is not, the CA MUST return a non-zero error.

  • content: This field is a SignedData structure (as specified in [RFC3852] section 5.1) and has the following requirements for its fields:

    • encapContentInfo: This field MUST have the following values for its fields:

      • eContentType: This field MUST be set to the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data). If it is not, the CA MUST return a non-zero error.

      • eContent: this field MUST be the PKCS #10 certificate request. Processing rules MUST be identical to the ones specified in section 3.2.1.4.2.1.4.1.1.

    • certificates: This field MUST include all the certificates that are associated with the private keys used to sign the certificate request. The certificates MUST have the certificate request agent EKU (1.3.6.1.4.1.311.20.2.1).

    • signerInfos: The signing MUST be done with the key (or keys) associated with the certificate or certificates that are passed in the certificates field.

      • AuthenticatedAttributes (in the first SignerInfo instance): This field MUST include the OID szENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1) attribute. The value of the attribute MUST include the requestername name-value pair. The value of the requestername name-value pair MUST be used to construct the Subject field in the issued certificate.