This element defines a certificate update request.

This element identifies the current certificate that is to be updated. The existing certificate is referenced using an X509Digest.

If the certificate is part of a certificate chain, the reference MUST be to the leaf certificate.

A certificate update request indicates that in the updated agreement a new certificate is to be used instead of a particular identified existing certificate.

The new certificate is exchanged using the ds:KeyInfo structure defined in the W3C XML Signature specification. The ds:KeyInfoType type is defined in the XML Signature schema. In the Agreement Update specification, its use is profiled as follows:

1. The ds:KeyName and ds:KeyValue elements MAY be present exactly once.
2. The ds:RetrievalMethod element MUST NOT be used.
3. Exactly one ds:X509Data element MUST be present.
4. The ds:X509Data element MUST include at least one ds:X509Certificate element.
5. A ds:X509Data element MAY contain multiple ds:X509Certificate elements.
6. A ds:X509Data element MAY contain one or multiple dsig11:X509Digest elements. If more than one dsig11:X509Digest element is present, each occurrence MUST have a different value for the Algorithm attribute. The element ds:X509IssuerSerial MUST NOT be used.
7. A ds:X509Data element MAY contain at most one ds:X509SubjectName.
8. The elements ds:PGPData, ds:MgmtData and ds:SPKIData MUST NOT be present.

If the new certificate is issued by a Certificate Authority, then the ds:X509Data structure SHOULD contain multiple ds:X509Certificates, representing the full certificate chain.