Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The request MUST be compliant with the information that is specified in [RFC2797], otherwise the CA MUST return a non-zero error. The processing rules listed with the following fields MUST be adhered to by the CA. These are not explicitly specified by [RFC2797]:
contentType: This field ([RFC3852] section 3) MUST be OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData). If it is not, the CA MUST return a non-zero error.
content: The content structure MUST be a SignedData structure ([RFC3852] section 5.1). The SignedData structure MUST adhere to the following requirements:
encapContentInfo: This field MUST have the following values for its fields:
eContentType: This field ([RFC3852] section 5.2) MUST be OID szOID_CT_PKI_DATA (1.3.6.1.5.5.7.12.2, id-cct-PKIData). If not, the CA MUST return a non-zero error.
eContent: This field MUST be a PKIData structure, as specified in [RFC2797] section 3.1. The PKIData structure MUST adhere to the following requirements:
TaggedRequest: This field MUST contain exactly one certificate request. If the contents of this field is not exactly one PKCS #10 certificate request conforming to rules specified in sections 2.2.2.6.5 and 3.2.1.4.2.1.4.1.1, the CA MUST return 0x8007000D (ERROR_INVALID_DATA) to the client.
TaggedAttribute: This field MAY contain additional enrollment attributes. If the field contains the RegInfo attribute (as specified in [RFC2797] section 5.12), processing rules for its value are identical to the ones for the pwszAttributes parameter (as specified in section 3.2.1.4.2.1.2).
signerInfos: The request MUST be signed. If the request is not signed, the CA MUST return 0x8009200E (CRYPT_E_NO_SIGNER) to the client.