Per RMM spec for this:
Where the CPAK is endorsed via an X.509 certificate chain, the endorsement artefacts can be included in the
COSE_Sign1 envelope of the CCA platform token ...
• The CPAK certificate is identified by including an x5t thumbprint parameter in the COSE_Sign1 protected
header.
• The CPAK certificate itself is then packaged within an x5chain parameter in the COSE_Sign1 unprotected
header.
• This x5chain parameter can also include other certificates that endorse the CPAK certificate.
The RMM also notes that the non leaf certs in the chain can be in a separate package in the CMW, Support for that case can be punted to a new issue additional to the basic model above.
Per RMM spec for this:
Where the CPAK is endorsed via an X.509 certificate chain, the endorsement artefacts can be included in the
COSE_Sign1 envelope of the CCA platform token ...
• The CPAK certificate is identified by including an x5t thumbprint parameter in the COSE_Sign1 protected
header.
• The CPAK certificate itself is then packaged within an x5chain parameter in the COSE_Sign1 unprotected
header.
• This x5chain parameter can also include other certificates that endorse the CPAK certificate.
The RMM also notes that the non leaf certs in the chain can be in a separate package in the CMW, Support for that case can be punted to a new issue additional to the basic model above.