3.1.1.4.3.2.1 Renew Certificate Request Using CMS and PKCS #10 Request Formats

The request MUST be an ASN.1 DER encoded CMS request as specified in [RFC3852]. The CMS ASN.1 structure includes the following fields:

• The client SHOULD construct a request for a new certificate by using the PKCS #10 certificate format as specified in section 3.1.1.4.3.1.1 or section 3.1.1.4.3.4.<24>

• The client MUST add an attribute to the Attributes field in the PKCS #10. The attribute is szOID_RENEWAL_CERTIFICATE (1.3.6.1.4.1.311.13.1) as specified in section 2.2.2.7.3. The value for this attribute MUST be an ASN.1 DER encoded certificate to be renewed.

• The client MUST construct a CMS with the following requirements:

  • ContentType: This field MUST be the OID szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).

  • Content: This field MUST be a SignedData with the following values for its fields:

    • encapContentInfo: This field MUST have the following values for its fields:

      • eContentType: This field MUST be the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data).

      • eContent: This field MUST be the new PKCS #10 certificate request constructed in the preceding (first) step.

  • Certificates: This field MUST include the certificate to be renewed and that is associated with the private key used to sign the request (the same certificate as the one in the PKCS #10 Attributes field specified in the preceding (second) step).

  • SignerInfos: The first SignerInfo in the SignerInfos collection MUST use the key associated with the certificate to be renewed.