Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 732

Standard X.509 v3 Certificate Extensions
Discussion
The Authority Key Identifier extension identifies the public key corresponding to the
private key used to sign a certificate. This extension is useful when an issuer has multiple
signing keys (for example, due to CA certificate renewal).
The extension consists of either or both of the following:
• an explicit key identifier (
• an issuer (
(
If the
subjectKeyIdentifier
authorityCertSerialNumber
correct certificate by
If this extension is not present, then the issuer name alone is used to identify the issuer
certificate.
PKIX Part 1 requires this extension for all certificates except self-signed root CA
certificates. Where a key identifier has not been previously established, PKIX recommends
that the
These fields permit construction of a complete certificate chain by matching the
SubjectName
the
authortiyCertIssuer
AuthorityKeyIdentifier
CS Version Support
Supported since CS 4.1. Refer to "AuthorityKeyIdentifierExt" on page 492.
Note that CS does not use or support the
Authority Key Identifier extension.
basicConstraints
OID
2.5.29.19
Criticality
PKIX Part 1 requires that this extension be marked critical. This extension is evaluated
regardless of its criticality.
732 Red Hat Certificate System Administrator's Guide • September 2005
authorityCertIssuer
authorityCertSerialNumber
field exists, then it is used to select the certificate with a matching
keyIdentifier
extension. If the
issuer
authorityCertIssuer
and
CertificateSerialNumber
field)
keyIdentifier
field) and serial number
field) identifying a certificate
authorityCertIssuer
fields are present, then they are used to identify the
and .
serialNumber
and
authorityCertSerialNumber
fields in the issuer's certificate against
and
authorityCertSerialNumber
extension of the subject certificate.
authorityCertSerialNumber
and
fields be specified.
in the
field in the