Difference between revisions of "Subject Key ID"
(→Context) |
(→References) |
||
| Line 26: | Line 26: | ||
X509v3 Subject Key Identifier: | X509v3 Subject Key Identifier: | ||
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 | BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 | ||
| + | |||
| + | ==Problems== | ||
| + | The SKID is a key id, not a certificate ID and so the SKI is calculated from the Subject and Public Key while the fingerprint is generated from the whole certificate. If a certificate is renewed, its SKI will stay the same, while its fingerprint will change. The SKI remains the same only when key pair is reused during renewal. If new key pair is generated, it will produce new SKI value, | ||
==References== | ==References== | ||
Revision as of 14:57, 9 September 2021
Contents
Full Title
The subject key identifier (SKID or ski depending on use) is an x509 extension and thus actually part of the certificate.
Context
The fingerprint is not part of the certificate but instead computed from the certificate. A certificate does not need to have an SKID at all and can have at most one SKID. But since the fingerprint is just a computed from the certificate there can be multiple fingerprints, like one using SHA-1, one using SHA-256, one using MD5 ...
The SKID is used to create the trust chain not based on the certificate subject and issuer but on the certificate SKID and authority key identifier (AKID). This makes it easier to deal with situations where the same subject string is used with multiple CA certificates. While the RFC 3280 describes common ways to generate SKID the only real requirement is that the SKID of the CA certificate must match the AKID in all certificates issued by this CA.
In the example below it can be clearly seen that the SKID BB:AF:7E:02:3D:FA:... of the issuer matches the AKID of the issued certificate:
...
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
...
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
...
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
----
...
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
...
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
...
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
Problems
The SKID is a key id, not a certificate ID and so the SKI is calculated from the Subject and Public Key while the fingerprint is generated from the whole certificate. If a certificate is renewed, its SKI will stay the same, while its fingerprint will change. The SKI remains the same only when key pair is reused during renewal. If new key pair is generated, it will produce new SKI value,
