2.2.2.6.4 Netscape KEYGEN Tag Request Format

Certificate requests MAY use the Netscape request format, which MUST be the same format that a Netscape 3.x or Network 4.x browser would send to a web server in response to an HTML <KEYGEN> tag (section 1.3.2.4) after a user fills in the information into the request form that it instantiates.

The data sent in the request string is called a Signed Public Key and Challenge (SPKAC) and MUST be encoded as specified in the following ASN.1 structure example.

 PublicKeyAndChallenge ::= SEQUENCE {
     spki SubjectPublicKeyInfo,
     challenge IA5STRING
 }
  
 SignedPublicKeyAndChallenge ::= SEQUENCE {
     publicKeyAndChallenge PublicKeyAndChallenge,
     signatureAlgorithm AlgorithmIdentifier,
     signature BIT STRING
 }
  

Two attributes are associated with a request from a Netscape browser: CertType and rdn. These attributes MUST be passed along with the Netscape certificate request in the pwszAttributes to ICertRequestD::Request or ICertRequestD2::Request2 methods. Method specifications are in sections 3.2.1.4.2.1 and 3.2.1.4.3.1.