AuthorityKeyIdentifierExt Plug-in Module
Chapter
4
Certificate Extension Plug-in Modules
141
AuthorityKeyIdentifierExt Plug-in Module
The
AuthorityKeyIdentifierExt
plug-in module implements the authority key
identifier extension policy. This policy enables you to configure Certificate
Management System to add the Authority Key Identifier Extension defined in X.509
and PKIX standard RFC 2459 (see
http://www.ietf.org/rfc/rfc2459.txt
) to
certificates. The extension is used to identify the public key that corresponds to the
private key used by a CA to sign certificates.
You should consider adding this extension to all certificates, especially CA
certificates, issued by Certificate Management System. The reason is, in certain
situations, a CA’s public key may change (for example, when the key gets updated)
or the CA may have multiple signing keys (either due to multiple concurrent key
pairs or due to key changeover). In these cases, the CA ends up with more than one
distinct key. When verifying a signature on a certificate, other applications need to
know which key was used in the signature. The extension, if present in a certificate,
enables applications (those that can use the extension) to identify the correct key to
use in situations when multiple keys exist; the extension specifies the public key to
be used to verify the signature on the certificate.
For general guidelines on setting the authority key identifier extension, see
“authorityKeyIdentifier” on page 340.
The authority key identifier extension policy in Certificate Management System
allows setting of the authority key identifier extension as defined in its X.509
definition with key identifiers. The policy enables you to specify what is to be done if
the CA certificate does not have a subject key identifier extension—whether to use
the a SHA-1 hash of the CA’s subject public key information (carries the public key
and identifies the algorithm with which the key is used) or skip adding the
authority key identifier extension itself. For information on setting the subject key
identifier extension in certificates, see “SubjectKeyIdentifierExt Plug-in Module”
on page 242.
Note that PKIX and Federal PKI standards recommend against the use of
authorityCertIssuer
and
authorityCertSerialNumber
fields of the X.509
definition.
If enabled, the policy does the following:
•
Sets the authority key identifier extension in certificates using the CA’s key
identifier in the CA’s subject key identifier extension, if it exists. In the absence
of a subject key identifier extension, the policy does either of the following (as
specified by the configuration):
Summary of Contents for Certificate Management System 6.01
Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 01 May 2002...
Page 10: ...10 Netscape Certificate Management System Plug Ins Guide May 2002...
Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide May 2002...
Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide May 2002...