Subject Key ID

From MgmtWiki
Jump to: navigation, search

Full Title

The subject key identifier (SKID or ski depending on use) is an x509 extension and thus actually part of the certificate.

Context

The fingerprint is not part of the certificate but instead computed from the certificate. A certificate does not need to have an SKID at all and can have at most one SKID. But since the fingerprint is just a computed from the certificate there can be multiple fingerprints, like one using SHA-1, one using SHA-256, one using MD5 ...

The SKID is used to create the trust chain not based on the certificate subject and issuer but on the certificate SKID and authority key identifier (AKID). This makes it easier to deal with situations where the same subject string is used with multiple CA certificates. While the RFC 3280 describes common ways to generate SKID the only real requirement is that the SKID of the CA certificate must match the AKID in all certificates issued by this CA.

In the example below it can be clearly seen that the SKID BB:AF:7E:02:3D:FA:... of the issuer matches the AKID of the issued certificate:

   ...
   Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
   ...
   Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
   ...
   X509v3 extensions:
       X509v3 Authority Key Identifier: 
           keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
   ----
   ...
   Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
   ...
   Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
   ...
   X509v3 extensions:
       X509v3 Subject Key Identifier: 
           BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4

Problems

The SKID is a key id, not a certificate ID and so the SKID (as a rule) is calculated from the Subject and Public Key while the fingerprint is generated from the whole certificate. If a certificate is renewed, its SKID will stay the same, while its fingerprint will change. The SKID remains the same only when key pair is reused during renewal. If new key pair is generated, as happens when the key is rolled, it will produce new SKID value,

Solutions

So there are several levels of ID that an Entity might exhibit.

  1. The Entity ID which could survive even a change in cryptographic method.
  2. The Decentralized ID (did) which can survive a key rollover if the method enabled it.
  3. The SKID which could survive the issuance of a new certificate if the key were not rolled.
  4. The Certificate Fingerprint which is, essentially, a certificate GUID.

Also note that an Entity could very well have multiple dids or keys to support different business purposes.

References