2.2.3.5 Certificate Chain

A Certificate Chain is a PKCS 7 Version 1.5 message of type SignedData as specified in [RFC2315] section 9.1. It consists of a list of [X509] version 3 certificates with delegation information stored in extension properties.

The total number of certificates in a Certificate Chain MUST NOT be more than 25.

Each certificate in the chain MUST be an [X509] version 3 [RFC2459] format certificate, with the following constraints on the fields defined in [RFC2459]:

1. The version ([RFC2459] section 4.1.2.1) MUST be set to 2 (version 3).

2. The signatureAlgorithm ([RFC2459] section 4.1.1.2) MUST be set to the OID 1.2.840.113549.1.1.5.

3. The serialNumber ([RFC2459] section 4.1.2.2) MUST be present and MUST be exactly 16 bytes long.

4. The subjectUniqueID and issuerUniqueID ([RFC2459] section 4.1.2.8) MUST be empty with a length of 0 bytes.

5. The subjectPublicKeyInfo ([RFC2459] section 4.1.2.7) MUST conform to the syntax as specified in section 2.2.3.1.4.

6. The subject ([RFC2459] section 4.1.2.6) MUST be a null-terminated Unicode string that MUST NOT be longer than 255 characters.

7. The issuer ([RFC2459] section 4.1.2.4) MUST be a null-terminated Unicode string that MUST NOT be longer than 255 characters.