IX509CertificateRequestPkcs7 interface (certenroll.h)

The IX509CertificateRequestPkcs7 interface represents a PKCS #7 certificate message syntax (CMS) object. PKCS #7 defines the format of messages sent to a certification or registration authority to request a public-key certificate. The IX509CertificateRequestPkcs7 interface can be confusing because its implementation does not perfectly mirror the way most security professionals think about the PKCS #7 standard. To avoid this confusion, keep the following points in mind:

  • Although a PKCS #7 message is used to wrap a CMC request, an IX509CertificateRequestPkcs7 object cannot contain a IX509CertificateRequestCmc object. Instead, the IX509CertificateRequestCmc interface inherits and implements the IX509CertificateRequestPkcs7 interface. As implemented, a CMC request is therefore a PKCS #7 SignedData object that contains CMC content, a primary signature that is either null-signed or key-based, and zero or more certificate-based signatures. By contrast, a PKCS #7 request is a SignedData object that contains PKCS #10 content (see the next item in this list) and has exactly one certificate-based signature.
  • An IX509CertificateRequestPkcs7 must contain an IX509CertificateRequestPkcs10 object. The main advantage of wrapping a PKCS #10 request in a PKCS #7 message is the ability to add multiple signers. The PKCS #10 request is signed by the associated private key, and the PKCS #7 message that wraps the PKCS #10 request is also signed. This second signer uses the certificate being renewed (for a renewal request) or the enrollment agent certificate (for an enroll-on-behalf-of request).
  • You can create and enroll a stand-alone IX509CertificateRequestPkcs10 certificate request without wrapping it in an IX509CertificateRequestPkcs7 object.

The ASN.1 representation of a PKCS #7 object in the following syntax example shows that it can be composed of a variety of data types.

    data | signed-data | enveloped-data | signed-and-enveloped-data |
    digested-data | encrypted-data | authenticated-data, ...

Of these, the SignedData object shown below is most relevant. The SignerInfo object referenced in the SignedData object contains the signature information. For a more complete discussion, see PKCS #7 Attributes.

-- signed-data

SignedData ::= SEQUENCE 
  version           INTEGER,
  digestAlgorithms  DigestAlgorithmIdentifiers,
  contentInfo       ContentInfo,
  certificates      [0] IMPLICIT Certificates OPTIONAL,
  crls              [1] IMPLICIT CertificateRevocationLists OPTIONAL,
  signerInfos       SignerInfos

SignerInfo ::= SEQUENCE 
  version                     INTEGER,
  sid                         CertIdentifier,
  digestAlgorithm             DigestAlgorithmIdentifier,
  authenticatedAttributes     [0] IMPLICIT Attributes OPTIONAL,
  signatureAlgorithm          SignatureAlgorithmIdentifier,
  signature                   SignatureValue,
  unauthenticatedAttributes   [1] IMPLICIT Attributes


The IX509CertificateRequestPkcs7 interface inherits from IX509CertificateRequest. IX509CertificateRequestPkcs7 also has these types of members:


The IX509CertificateRequestPkcs7 interface has these methods.


Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate.

Specifies or retrieves a certificate used to sign the certificate request.

Decodes an existing signed or unsigned PKCS

Initializes the certificate request by using an existing certificate.

Initializes the certificate request from the inner PKCS

Initializes the certificate request by using a template.

Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate.

Specifies or retrieves a certificate used to sign the certificate request.


Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

CertEnroll Interfaces