Authoritykeyidentifier - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs
field. accessMethod specifies by OID the type and format of information about the issuer named in
accessLocation.
PKIX Part 1 defines one accessMethod (id-ad-caIssuers) to get a list of CAs that have
issued certificates higher in the CA chain than the issuer of the certificate using the extension. The
accessLocation field then typically contains a URL indicating the location and protocol (LDAP,
HTTP, or FTP) used to retrieve the list.
3
RFC 2560
, defines an accessMethod
The Online Certificate Status Protocol (RFC 2560), available at
(id-ad-ocsp) for using OCSP to verify certificates. The accessLocation field then contains a
URL indicating the location and protocol used to access an OCSP responder that can validate the
certificate.
OID
1.3.6.1.5.5.7.1.1
Criticality
This extension must be noncritical.
B.3.2. authorityKeyIdentifier
The Authority Key Identifier extension identifies the public key corresponding to the private key used
to sign a certificate. This extension is useful when an issuer has multiple signing keys, such as when a
CA certificate is renewed.
The extension consists of one or both of the following:
• An explicit key identifier, set in the keyIdentifier field
• An issuer, set in the authorityCertIssuer field, and serial number, set in the
authorityCertSerialNumber field, identifying a certificate
If the keyIdentifier field exists, it is used to select the certificate with a matching
subjectKeyIdentifier extension. If the authorityCertIssuer and
authorityCertSerialNumber fields are present, then they are used to identify the correct
certificate by issuer and serialNumber.
If this extension is not present, then the issuer name alone is used to identify the issuer certificate.
PKIX Part 1 requires this extension for all certificates except self-signed root CA certificates. Where
a key identifier has not been established, PKIX recommends that the authorityCertIssuer and
authorityCertSerialNumber fields be specified. These fields permit construction of a complete
certificate chain by matching the SubjectName and CertificateSerialNumber fields in the
issuer's certificate against the authortiyCertIssuer and authorityCertSerialNumber in the
Authority Key Identifier extension of the subject certificate.
OID
2.5.29.35
3
http://www.ietf.org/rfc/rfc2560.txt
460
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?