Difference between revisions of "Subject Key ID"

Revision as of 14:48, 9 September 2021

Full Title

The subject key identifier (SKID or ski depending on use) is an x509 extension and thus actually part of the certificate.

Context

The fingerprint instead is not part of the certificate but instead computed from the certificate. A certificate does not need to have an SKID at all and can have at most one SKID. But since the fingerprint is just a computed from the certificate there can be multiple fingerprints, like one using SHA-1, one using SHA-256, one using MD5 ...

The SKID is used to create the trust chain not based on the certificate subject and issuer but on the certificate SKID and authority key identifier (AKID). This makes it easier to deal with situations where the same subject string is used with multiple CA certificates. While the RFC 3280 describes common ways to generate SKID the only real requirement is that the SKID of the CA certificate must match the AKID in all certificates issued by this CA.

In the example below it can be clearly seen that the SKID BB:AF:7E:02:3D:FA:... of the issuer matches the AKID of the issued certificate:

   ...
   Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
   ...
   Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
   ...
   X509v3 extensions:
       X509v3 Authority Key Identifier: 
           keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
   ----
   ...
   Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
   ...
   Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
   ...
   X509v3 extensions:
       X509v3 Subject Key Identifier: 
           BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4

References

• The difference between Subject Key Identifier and sha1Fingerprint in X509 Certificates