2.2.1.4 Health Certificate Request

  • Article

The health certificate request MUST be in PKCS #10 format (as specified in [RFC2986]) and be encoded in ASN.1 Distinguished Encoding Rules (DER), as specified in [ITUX680]. This MUST be present in an HCEP request. The HRA processing of the health certificate request is specified in section 3.2.5. It MUST contain the following parts, as specified in [RFC2986] section 4.

Tokens

subject: SHOULD be a zero-length string if the ClientAuthenticationFlag ADM element specified in section 3.1.1 is TRUE; otherwise, it SHOULD be the predefined string "Anonymous System Health Authentication", as specified in [RFC3280] section 4.1.2.6.<9>

subjectPublicKeyInfo: MUST be a public key for the X.509 certificate, as specified in [RFC3280] section 4.1.

PKCS #10 Attributes: The following X.509 certificate extensions are encapsulated as PKCS #10 attributes in the health certificate request. PKCS #10 attributes are as specified in [RFC2986] section 4.1.

Extended Key Usage: A health certificate request MUST contain an Extended Key Usage (EKU) extension (as specified in [RFC3280] section 4.2.1.1) with the OID values specified as follows:

  • MUST have an OID to indicate that the certificate request is a health certificate request.<10>

  • SHOULD have the OID value that indicates id-kp-clientAuth, as specified in [RFC3280] section 4.2.1.13, if the ClientAuthenticationFlag ADM element specified in section 3.1.1 is TRUE.<11>

    Subject Alternative Name: MUST be the fully qualified domain name (FQDN) of the client if the ClientAuthenticationFlag ADM element specified in section 3.1.1 is TRUE. This extension MUST be as specified in [RFC3280] section 4.2.1.7.

    Statement of Health Certificate Extension: The certificate request MUST have a certificate extension, as specified in [RFC3280]. This certificate extension MUST contain the ASN.1 DER–encoded statement of health data, as specified in section 2.2.3.7.

    Cryptographic Service Provider Certificate Extension: The certificate request MUST have a certificate extension to specify the name of the cryptographic service provider (CSP) used to generate the key pair on the HCEA. This attribute contains the name of the CSP that is used to generate the key pair on the HCEA. The extension and the OID value MUST be as specified in [MS-WCCE] section 2.2.2.7 that defines the certificate request attributes.<12>

The certificate request MUST be signed to prevent tampering by using one of the preconfigured signature algorithms specified in section 1.5. The signature over the certificate request MUST be included in the PKCS #10 message, as specified in [RFC2986].