3.2.2.6.2.1.2.1.1 Request on Behalf of Using CMS and PKCS #10 Request Formats
The request MUST be compliant with the information that is specified in [RFC3852]. The processing rules for the following fields MUST be adhered to by the CA but are not specified by [RFC3852]:
contentType: This field MUST be set to the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData). If it is not, the CA MUST return a non-zero error.
content: This field is a SignedData structure (as specified in [RFC3852] section 5.1) and has the following requirements for its fields:
encapContentInfo: This field MUST have the following values for its fields:
eContentType: This field MUST be set to the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data). If it is not, the CA MUST return a non-zero error.
eContent: this field MUST be the PKCS #10 certificate request. Processing rules MUST be identical to the ones specified in section 3.2.1.4.2.1.4.1.1.
certificates: This field MUST include all the certificates that are associated with the private keys used to sign the certificate request. The certificates MUST have the certificate request agent EKU (1.3.6.1.4.1.311.20.2.1).
signerInfos: The signing MUST be done with the key (or keys) associated with the certificate or certificates that are passed in the certificates field.
AuthenticatedAttributes (in the first SignerInfo instance): This field MUST include the OID szENROLLMENT_NAME_VALUE_PAIR (1.3.6.1.4.1.311.13.2.1) attribute. The value of the attribute MUST include the requestername name-value pair. The value of the requestername name-value pair MUST be used to construct the Subject field in the issued certificate.