1 - 4 - 6 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X
Certificate Request
Click on the red underlined text to get to the source
... POP will be made if necessary.
- The protocol will support deferred and pending responses to
certificate request for cases where external procedures are
required to issue a certificate.
...
... one of a set of standards defined by RSA Laboratories in the
1980s. PKCS#10 defines a Certificate Request Message syntax.
"CRMF" refers to the Certificate Request Message Format ...
... Certificate Request Message syntax.
"CRMF" refers to the Certificate Request Message Format RFC [CRMF].
We are using certificate request message format ...
... Certificate Request Message Format RFC [CRMF].
We are using certificate request message format defined in this
document as part of our management protocol.
...
... +----------+--------------+ | message |
| | +------------------+------+
| Certificate Request | | |
| | | CMS Signed Data ...
... | | | All certificates issued |
| Certificate requests | | as part of the response |
| are CRMF or PKCS#10 | | are included in the |
...
... part of the request being successfully processed.
-- reqSequence consists of a sequence of certificate requests. The
certificate requests can be either a CertificateRequest ...
... -- reqSequence consists of a sequence of certificate requests. The
certificate requests can be either a CertificateRequest (PKCS10
request) or a CertReqMsg. Details on each of these request types are
...
... key usage from key exchange to signing.) If a certificate
request is denied due to the inability to handle a requested
extension, the server MUST respond with a failInfo attribute of
unsupportedExt.
...
... omitted unless it is only item in the response message. If no status
exists for a certificate request or other item requiring processing,
then the value of success is to be assumed.
...
... -- the request body part has not yet been processed,
-- requester is responsible to poll back on this
-- pending may only be return for certificate request
operations.
noSupport (4),
...
... CMS
SignedData object containing all of the certificate requests.
Proof-of-possession information for key pairs ...
... behind both mechanisms is to force the client to sign some data into
each certificate request that can be directly associated with the
shared-secret; this will defeat attempts to include certificate
requests from different entities in a single Full PKI ...
... each certificate request that can be directly associated with the
shared-secret; this will defeat attempts to include certificate
requests from different entities in a single Full PKI Request
message.
...
... derived from the shared-secret token as a signed extension within
each certificate request (PKCS#10 or CRMF) message. This technique
is useful if null subject ...
... bit HMAC-SHA1 result from Step 3 is encoded as the value
of an idPOPLinkWitness extension to the certificate request.
a. For CRMF, idPOPLinkWitness is included in the controls section
...
... section of the CertificationRequest structure.
Upon receipt, servers MUST verify that each certificate request
contains a copy of the idPOPLinkWitness and that its value was
derived in the specified manner from the shared secret ...
... subject
DN in every certificate request. It is expected that many client-
server connections ...
... shared secret as the subject name in every
certificate request (PKCS#10 and/or CRMF) in the Full PKI Request.
...
... subject DN included in
each certificate request matches that associated with the shared
secret. If either of these checks fails the certificate request MUST
...
... each certificate request matches that associated with the shared
secret. If either of these checks fails the certificate request MUST
be rejected.
...
... certificate
referenced by the CMS SignerInfo object, and (b) all certificate
requests within the request message MUST match according to the
standard name match rules described in [PKIXCERT ...
...
-- extensions field contains the sequence of extensions to be
applied to the referenced certificate requests.
Servers MUST be able to process all extensions defined in [PKIXCERT ...
... approach).
1. If the conflict is within a single PKIData object, the certificate
request would be rejected with an error of badRequest.
2. If the conflict is between different PKIData objects, the
...
... encrypted pop with the following fields
set:
a. request is the certificate request in the original request
message (it is included here so the client need not key a copy
...
... b. cms is an EnvelopedData object, the content type being id-data
and the content being the value y. If the certificate request
contains a subject key identifier ...
... encoded as NULL and the SerialNumber as the bodyPartId of the
certificate request,
c. thePOPAlgID contains the algorithm to be used in computing the
...
... creates the decryptedPOP as part of a new PKIData
message. The fields in the decryptedPOP are:
a. bodyPartID refers to the certificate request in the new
enrollment message,
b. thePOPAlgID is copied from the encryptedPOP,
...
... value of x would normally be altered on a regular basis and kept
for a short time afterwards.)
2. For certificate request R, server computes y = F(x,R). F can be,
for example, HMAC-SHA1(x,R). All that's important for
...
... PKIRequest body.
-- bodyIds contains a list of certificate requests for which the
LRA has performed an out-of-band authentication ...
... identity checking can cause a delay in returning the
certificate related to a certificate request. The query pending
attribute allows for a client ...
... query a server about the state of a
pending certificate request. The server returns a token as part of
the CMCStatusInfo attribute (in the otherInfo field). The client ...
... Confirm Certificate Acceptance control attribute is used for that
purpose. If the CMCStatusInfo on a certificate request is
confirmRequired, then the client MUST return a Confirm Certificate ...
...
In processing an enrollment message, an LRA MUST NOT alter any
certificate request body (PKCS #10 or CRMF) as any alteration would
invalidate the signature ...
... }
-- Used for LRAs to add extensions to certificate requests
id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
...
...
-- The following exists to allow Diffie-Hellman Certificate Requests
Messages to be
-- well-formed ...