datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
RFC 4211

Document type: RFC - Proposed Standard (September 2005; Errata)
Obsoletes RFC 2511
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4211 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: <kent@bbn.com>, <wpolk@nist.gov>

Network Working Group                                          J. Schaad
Request for Comments: 4211                       Soaring Hawk Consulting
Obsoletes: 2511                                           September 2005
Category: Standards Track

               Internet X.509 Public Key Infrastructure
               Certificate Request Message Format (CRMF)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes the Certificate Request Message Format (CRMF)
   syntax and semantics.  This syntax is used to convey a request for a
   certificate to a Certification Authority (CA), possibly via a
   Registration Authority (RA), for the purposes of X.509 certificate
   production.  The request will typically include a public key and the
   associated registration information.  This document does not define a
   certificate request protocol.

Schaad                      Standards Track                     [Page 1]
RFC 4211                  Internet X.509 CRMF             September 2005

Table Of Contents

   1. Introduction and Terminology ....................................3
   2. Overview ........................................................3
      2.1. Changes since RFC 2511 .....................................4
   3. CertReqMessage Syntax ...........................................4
   4. Proof-of-Possession (POP) .......................................5
      4.1. Signature Key POP ..........................................7
      4.2. Key Encipherment Keys ......................................9
           4.2.1. Private Key Info Content Type ......................11
           4.2.2. Private Key Structures .............................12
           4.2.3. Challenge-Response Guidelines ......................13
      4.3. Key Agreement Keys ........................................14
      4.4. Use of Password-Based MAC .................................14
   5. CertRequest syntax .............................................16
   6. Controls Syntax ................................................18
      6.1. Registration Token Control ................................18
      6.2. Authenticator Control .....................................19
      6.3. Publication Information Control ...........................19
      6.4. Archive Options Control ...................................21
      6.5. OldCert ID Control ........................................23
      6.6. Protocol Encryption Key Control ...........................23
   7. RegInfo Controls ...............................................23
      7.1. utf8Pairs .................................................23
      7.2. certReq ...................................................24
   8. Object Identifiers .............................................24
   9. Security Considerations ........................................25
   10. References ....................................................26
      10.1. Normative References .....................................26
      10.2. Informative References ...................................27
   11. Acknowledgements ..............................................28
   Appendix A.  Use of RegInfo for Name-Value Pairs ..................29
      A.1.  Defined Names ............................................29
      A.2.  IssuerName, SubjectName, and Validity Value Encoding .....29
   Appendix B.  ASN.1 Structures and OIDs ............................32
   Appendix C.  Why do Proof-of-Possession (POP) .....................38

Schaad                      Standards Track                     [Page 2]
RFC 4211                  Internet X.509 CRMF             September 2005

1.  Introduction and Terminology

   This document describes the Certificate Request Message Format
   (CRMF).  A Certificate Request Message object is used within a
   protocol to convey a request for a certificate to a Certification
   Authority (CA), possibly via a Registration Authority (RA), for the
   purposes of X.509 certificate production.  The request will typically
   include a public key and the associated registration information.

   The certificate request object defined in this document is not a
   stand-alone protocol.  The information defined in this document is
   designed to be used by an externally defined Certificate Request
   Protocol (CRP).  The referencing protocol is expected to define what

[include full document text]