2.2.3.1.4.1 Credential Structure

A certificate chain is a Public Key Cryptography Standards (PKCS) 7 version 1.5 message of type SignedData as specified in [RFC2315] section 9.1. The chain consists of a list of [X509] version 3 certificates.

The total number of certificates in a certificate chain MUST NOT be more than 25.

Each certificate in the chain MUST be formatted as an [X509] version 3 [RFC2459] certificate, with the following constraints on the fields defined in [RFC2459].

The version field ([RFC2459] section 4.1.2.1) MUST be set to 2 (version 3).

The signatureAlgorithm field ([RFC2459] section 4.1.1.2) MUST be set to the OID 1.2.840.113549.1.1.5.

The serialNumber field ([RFC2459] section 4.1.2.2) MUST be present and MUST be exactly 16 bytes long.

The subjectUniqueID and issuerUniqueID fields ([RFC2459] section 4.1.2.8) MUST be empty with a length of 0 bytes.

The subjectPublicKeyInfo field ([RFC2459] section 4.1.2.7) MUST conform to the syntax specified in section 2.2.1.

The subject field ([RFC2459] section 4.1.2.6) MUST be a null-terminated Unicode string that MUST NOT be longer than 255 characters.

The issuer field ([RFC2459] section 4.1.2.4) MUST be a null-terminated Unicode string that MUST NOT be longer than 255 characters.