3.2.1.4.3.2.16 PropID = 0x00000010 (CR_PROP_CAXCHGCERTCHAIN) "CA Exchange Certificate Chain"

The client has requested the CA exchange certificate and its complete chain. The CA MUST follow these processing rules to process the client's request:

  1. If PropIndex parameter is not equal to 0x0 or 0xFFFFFFFF, return the E_INVALIDARG (0x80070057) error to the client.

  2. Validate that the Current_CA_Exchange_Cert datum contains a current, valid CA exchange certificate by executing steps 2 and 3 in section 3.2.1.4.3.2.15.

  3. Construct a signed CMS message with the following fields:

    • ContentType: szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).

    • Content: SignedData (as specified in [RFC3852], section 5.1) with the following requirements:

      • version: See section [RFC3852], section 5.1.

      • digestAlgorithms: Same digest algorithm as was used to sign current CA's certificate stored in Signing_Cert_Certificate datum.

      • encapContentInfo: EncapsulatedContentInfo structure (as specified in [RFC3852], section 5.2) with the eContentType set to the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data) and the eContent field set to the CA's exchange certificate from the Current_CA_Exchange_Cert datum.

      • certificates: Contains CA's certificate stored in the Signing_Cert_Certificate datum and its parent certificates excluding the root certificate. To obtain parent certificates, the CA SHOULD use Authority Information Access (AIA) extension of its certificate and its parent certificates. The AIA extension is specified in [RFC3280] section 4.2.2.1.

      • crls: Not used. 

      • signerInfos: Not used.

  4. Return the CMS message through a CERTTRANSBLOB structure (as specified in section 2.2.2.2). Marshaling rules for the CERTTRANSBLOB structure are specified in section 2.2.2.2.