Skip to content

Certificate Request

Jump to bottom
Endi S. Dewata edited this page Mar 19, 2025 · 2 revisions

PKCS #10 Request

CertificationRequest ::= SIGNED { EncodedCertificationRequestInfo }
    (CONSTRAINED BY { -- Verify or sign encoded
     -- CertificationRequestInfo -- })

SIGNED { ToBeSigned } ::= SEQUENCE {
    toBeSigned ToBeSigned,
    algorithm  AlgorithmIdentifier { {SignatureAlgorithms} },
    signature  BIT STRING
}

EncodedCertificationRequestInfo ::=
    TYPE-IDENTIFIER.&Type(CertificationRequestInfo)
CertificationRequest ::= SEQUENCE {
    certificationRequestInfo CertificationRequestInfo,
    signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
    signature          BIT STRING
}

AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
    algorithm          ALGORITHM.&id({IOSet}),
    parameters         ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}

SignatureAlgorithms ALGORITHM ::= {
    ... -- add any locally defined algorithms here -- }
CertificationRequestInfo ::= SEQUENCE {
    version       INTEGER { v1(0) } (v1,...),
    subject       Name,
    subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
    attributes    [0] Attributes{{ CRIAttributes }}
}

SubjectPublicKeyInfo { ALGORITHM : IOSet} ::= SEQUENCE {
    algorithm        AlgorithmIdentifier {{IOSet}},
    subjectPublicKey BIT STRING
}

PKInfoAlgorithms ALGORITHM ::= {
    ...  -- add any locally defined algorithms here -- }

Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}

CRIAttributes  ATTRIBUTE  ::= {
    ... -- add any locally defined attributes here -- }

Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
    type   ATTRIBUTE.&id({IOSet}),
    values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}

CRMF Request

CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg

CertReqMsg ::= SEQUENCE {
    certReq   CertRequest,
    popo      ProofOfPossession  OPTIONAL,
    regInfo   SEQUENCE SIZE(1..MAX) of AttributeTypeAndValue OPTIONAL
}

CertRequest ::= SEQUENCE {
    certReqId     INTEGER,
    certTemplate  CertTemplate,
    controls      Controls OPTIONAL }

CertTemplate ::= SEQUENCE {
    version      [0] Version               OPTIONAL,
    serialNumber [1] INTEGER               OPTIONAL,
    signingAlg   [2] AlgorithmIdentifier   OPTIONAL,
    issuer       [3] Name                  OPTIONAL,
    validity     [4] OptionalValidity      OPTIONAL,
    subject      [5] Name                  OPTIONAL,
    publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
    issuerUID    [7] UniqueIdentifier      OPTIONAL,
    subjectUID   [8] UniqueIdentifier      OPTIONAL,
    extensions   [9] Extensions            OPTIONAL }

OptionalValidity ::= SEQUENCE {
    notBefore  [0] Time OPTIONAL,
    notAfter   [1] Time OPTIONAL }

Time ::= CHOICE {
    utcTime        UTCTime,
    generalTime    GeneralizedTime }

PKIPublicationInfo ::= SEQUENCE {
    action     INTEGER {
                  dontPublish (0),
                  pleasePublish (1) },
    pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }

SinglePubInfo ::= SEQUENCE {
    pubMethod    INTEGER {
          dontCare    (0),
          x500        (1),
          web         (2),
          ldap        (3) },
    pubLocation  GeneralName OPTIONAL }

PKIArchiveOptions ::= CHOICE {
    encryptedPrivKey     [0] EncryptedKey,
    keyGenParameters     [1] KeyGenParameters,
    archiveRemGenPrivKey [2] BOOLEAN }

EncryptedKey ::= CHOICE {
    encryptedValue        EncryptedValue,
    envelopedData     [0] EnvelopedData }

EncryptedValue ::= SEQUENCE {
    intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
    symmAlg       [1] AlgorithmIdentifier  OPTIONAL,
    encSymmKey    [2] BIT STRING           OPTIONAL,
    keyAlg        [3] AlgorithmIdentifier  OPTIONAL,
    valueHint     [4] OCTET STRING         OPTIONAL,
    encValue       BIT STRING }

CertId ::= SEQUENCE {
    issuer           GeneralName,
    serialNumber     INTEGER
}

ProofOfPossession ::= CHOICE {
    raVerified        [0] NULL,
    signature         [1] POPOSigningKey,
    keyEncipherment   [2] POPOPrivKey,
    keyAgreement      [3] POPOPrivKey }

POPOSigningKey ::= SEQUENCE {
    poposkInput         [0] POPOSigningKeyInput OPTIONAL,
    algorithmIdentifier     AlgorithmIdentifier,
    signature               BIT STRING }

POPOSigningKeyInput ::= SEQUENCE {
    authInfo            CHOICE {
        sender              [0] GeneralName,
        publicKeyMAC        PKMACValue },
    publicKey           SubjectPublicKeyInfo }

PKMACValue ::= SEQUENCE {
    algId  AlgorithmIdentifier,
    value  BIT STRING }

POPOPrivKey ::= CHOICE {
    thisMessage       [0] BIT STRING,   -- deprecated
    subsequentMessage [1] SubsequentMessage,
    dhMAC             [2] BIT STRING,   -- deprecated
    agreeMAC          [3] PKMACValue,
    encryptedKey      [4] EnvelopedData }

SubsequentMessage ::= INTEGER {
    encrCert (0),
    challengeResp (1) }

EncKeyWithID ::= SEQUENCE {
    privateKey           PrivateKeyInfo,
    identifier CHOICE {
      string               UTF8String,
      generalName          GeneralName
    } OPTIONAL
}

PrivateKeyInfo ::= SEQUENCE {
    version                   INTEGER,
    privateKeyAlgorithm       AlgorithmIdentifier,
    privateKey                OCTET STRING,
    attributes                [0] IMPLICIT Attributes OPTIONAL
}

Attributes ::= SET OF Attribute
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally