3.1.1.4.3.1.3 New Certificate Request Using CMS and CMC Request Formats

The request MUST be an ASN.1 DER encoded CMS request (as specified in [RFC3852]), that includes a CMC request (as specified in [RFC2797]). The ASN.1 structure includes the following fields. The client MUST construct an ASN.1 CMC request structure with the following fields:

• TaggedRequest: This field MUST contain exactly one certificate request. The certificaterequest MUST be PKCS #10 as specified in sections 2.2.2.6.1, 2.2.2.6.5,  and 3.1.1.4.3.1.1.

• TaggedAttributes: The client MAY pass additional enrollment attributes in the RegInfo attribute as specified in [RFC2797] section 5.12. The semantics for the value of this attribute are identical to the ones that are defined for the pwszAttributes parameter for ICertRequestD::Request and ICertRequestD2::Request2. The format of the value is specified in section 2.2.2.6.3.

Client MUST construct CMS (as specified in [RFC3852]) with the following requirements:

• ContentType: This field MUST be the OID szOID_PKCS_7_SIGNED (1.2.840.113549.1.7.2, id-signedData).

• Content: This field MUST be a SignedData with the following values for its fields:

  • encapContentInfo field: This field MUST have the following values for its fields:

    • eContentType: This field MUST be the OID szOID_CT_PKI_DATA (1.3.6.1.5.5.7.12.2, Id-cct-PKIData).

    • eContent: This field MUST be the CMC certificate request constructed in the preceding (first) step.

  • SignerInfo fields: The first signerInfo MUST use either the subjectKeyIdentifier form of signerInfo, as specified in [RFC2797] section 4.2, or MUST use the No-Signature Signature Mechanism, as specified in [RFC2797] section 3.3.3.1.