3.2.1.4.3.2.33 PropID = 0x00000021 (CR_PROP_CAXCHGCERTCRLCHAIN) "CA Exchange Certificate Chain and CRL"

  • Article

The client has requested the CA exchange certificate, its complete chain, and all relevant CRLs. The CA MUST follow these processing rules to process a client's request:

  1. If the PropIndex parameter is not equal to 0x0 or 0xFFFFFFFF, return the E_INVALIDARG (0x80070057) error to the client.

  2. Validate that the Current_CA_Exchange_Cert datum contains a current, valid CA exchange certificate by executing steps 2 and 3 in section 3.2.1.4.3.2.15.

  3. Retrieve the Issuer_Name_Id from the request database by finding the row with the Certificate_Hash equal to the Current_CA_Exchange_Cert hash value.

  4. Find the CA signing certificate corresponding to the Current_CA_Exchange_Cert by looking for an entry in the Signing_Cert table with the certificate index (section 3.2.1.4.3.2.39) matching the lower 16 bits of the Issuer_Name_Id value retrieved in step 3 of this procedure.<101>

  5. Construct a signed CMS message with the following fields:

    • ContentType: szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).

    • Content: SignedData (as specified in [RFC3852] section 5.1) with the following requirements:

      • version: See [RFC3852] section 5.1.

      • digestAlgorithms: Same digest algorithm as was used by the CA signing certificate retrieved in step 4 of this procedure, to sign the Current_CA_Exchange Cert.

      • encapContentInfo: EncapsulatedContentInfo structure (as specified in [RFC3852] section 5.2) with the eContentType set to the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1) and the eContent field set to the CA's exchange certificate from the Current_CA_Exchange_Cert datum.

      • certificates: Contains the CA's certificate retrieved in step 4 of this procedure and its parent certificates. To obtain parent certificates, the CA SHOULD use Authority Information Access (AIA) extension of its certificate and its parent certificates. The AIA extension is specified in [RFC3280] section 4.2.2.1.

      • crls: Contains all current CRLs and delta CRLs for the CAs whose certificates were added to the certificates field. For each certificate in the certificates field, the CA SHOULD retrieve the CRL using the processing rules in section 3.2.1.4.1.3 by setting the ParameterCertificate to be equal to the current certificate.

      • signerInfos: Not used.

  6. Return the CMS message through a CERTTRANSBLOB structure (as specified in section 2.2.2.2). Marshaling rules for CERTTRANSBLOB are specified in section 2.2.2.2.4.