1.device generates a request(PKCS#10), encrypt it with its private key, then sends it to CA in ASN message format, also include PKCS#10
PKCS#10:
device info
key size
device public key
( challenge password)

CA info:
serial no.
available date of certificate
CA public key
HMAC algorithm
CRL location

2.CA generate a random HMAC symmetric key

                                                                                                  HMAC function
3.PKCS#10 + CA info + random HMAC symmetric key----------------------------->HMAC

signature                                                                                        RSA Algorithm
4.random HMAC symmetric key + CA private key------------------------->encrypted HMAC symmetric key

5.a certificate includes:
PKCS#10 (device info, key size, device public key, challenge password)
CA info (serial no., available date, CA public key, HMAC algorithm, CRL)
HMAC signature
encrypted HMAC symmetric key
CA sends this certificate to the device which send the request(PKCS#10) to CA

6.after receiving the certificate.
                                                                                                                        RSA alogorithm
encrypted HMAC symmetric key + CA public key(included in CA info)-----------------------------> random HMAC symmetric key generated by CA

                                                                                                                             HMAC function
7.PKCS#10 + CA info + random HMAC symmetric key computed just now----------------------->HMAC signature

8.whether the HMAC signature received from CA and the HMAC signature computed just now by device are same or not