IX509CertificateRequestPkcs7 interface

The IX509CertificateRequestPkcs7 interface represents a PKCS #7 certificate message syntax (CMS) object. PKCS #7 defines the format of messages sent to a certification or registration authority to request a public-key certificate. The IX509CertificateRequestPkcs7 interface can be confusing because its implementation does not perfectly mirror the way most security professionals think about the PKCS #7 standard. To avoid this confusion, keep the following points in mind:

  • Although a PKCS #7 message is used to wrap a CMC request, an IX509CertificateRequestPkcs7 object cannot contain a IX509CertificateRequestCmc object. Instead, the IX509CertificateRequestCmc interface inherits and implements the IX509CertificateRequestPkcs7 interface. As implemented, a CMC request is therefore a PKCS #7 SignedData object that contains CMC content, a primary signature that is either null-signed or key-based, and zero or more certificate-based signatures. By contrast, a PKCS #7 request is a SignedData object that contains PKCS #10 content (see the next item in this list) and has exactly one certificate-based signature.
  • An IX509CertificateRequestPkcs7 must contain an IX509CertificateRequestPkcs10 object. The main advantage of wrapping a PKCS #10 request in a PKCS #7 message is the ability to add multiple signers. The PKCS #10 request is signed by the associated private key, and the PKCS #7 message that wraps the PKCS #10 request is also signed. This second signer uses the certificate being renewed (for a renewal request) or the enrollment agent certificate (for an enroll-on-behalf-of request).
  • You can create and enroll a stand-alone IX509CertificateRequestPkcs10 certificate request without wrapping it in an IX509CertificateRequestPkcs7 object.

The ASN.1 representation of a PKCS #7 object in the following syntax example shows that it can be composed of a variety of data types.

    data | signed-data | enveloped-data | signed-and-enveloped-data |
    digested-data | encrypted-data | authenticated-data, ...

Of these, the SignedData object shown below is most relevant. The SignerInfo object referenced in the SignedData object contains the signature information. For a more complete discussion, see PKCS #7 Attributes.

-- signed-data

SignedData ::= SEQUENCE 
  version           INTEGER,
  digestAlgorithms  DigestAlgorithmIdentifiers,
  contentInfo       ContentInfo,
  certificates      [0] IMPLICIT Certificates OPTIONAL,
  crls              [1] IMPLICIT CertificateRevocationLists OPTIONAL,
  signerInfos       SignerInfos

SignerInfo ::= SEQUENCE 
  version                     INTEGER,
  sid                         CertIdentifier,
  digestAlgorithm             DigestAlgorithmIdentifier,
  authenticatedAttributes     [0] IMPLICIT Attributes OPTIONAL,
  signatureAlgorithm          SignatureAlgorithmIdentifier,
  signature                   SignatureValue,
  unauthenticatedAttributes   [1] IMPLICIT Attributes


The IX509CertificateRequestPkcs7 interface inherits from IX509CertificateRequest. IX509CertificateRequestPkcs7 also has these types of members:


The IX509CertificateRequestPkcs7 interface has these methods.


Decodes an existing signed or unsigned PKCS #7 object and uses it to initialize the new PKCS #7 object.


Initializes the certificate request or response by using an existing certificate.


Initializes the certificate request from the inner content of a PKCS #7 message.



Initializes the certificate request by using a template.



The IX509CertificateRequestPkcs7 interface has these properties.



Specifies or retrieves a string that contains the Security Account Manager (SAM) name of the end-entity requesting the certificate.



Specifies or retrieves a certificate used to sign the certificate request.



Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]





See also

CertEnroll Interfaces



Community Additions