220.127.116.11.18.104.22.168.1 Processing Rules for Key Attestation Based on Certificates
The CA SHOULD verify that there are a maximum of 4 trust module certificates in the Request.
The CA MUST check that any one of the certificates in the request meets the following criteria:
It is a valid certificate according to [RFC5280].
Its public key matches the trust module public key in the request.
It chains up to a trusted root [RFC5280] in the Endorsement Root store using the Endorsement CA store for intermediate CA certificates.
If revocation information is available in the certificate, it must be validated for revocation.
If the request contains the szOID_ENROLL_AIK_INFO attribute, the CA MUST also verify the following on the certificate:
If successful, the CA MUST store the SHA2 hash of the valid trust module certificate as a hexadecimal string with no spaces in the EndorsementCertificateHash column of the Request table ([MS-CSRA] section 22.214.171.124.2), and the CA MUST set the CR_FLG_TRUSTEKCERT flag in the Request_Request_Flags column to indicate that key attestation succeeded while processing a trusted certificate.