Table of Contents
Advertisement
AuthorityKeyIdentifierExt Plug-in Module
AuthorityKeyIdentifierExt Plug-in Module
The
AuthorityKeyIdentifierExt
identifier extension policy. This policy enables you to configure Certificate
Management System to add the Authority Key Identifier Extension defined in X.509
and PKIX standard RFC 2459 (see
certificates. The extension is used to identify the public key that corresponds to the
private key used by a CA to sign certificates.
You should consider adding this extension to all certificates, especially CA
certificates, issued by Certificate Management System. The reason is, in certain
situations, a CA's public key may change (for example, when the key gets updated)
or the CA may have multiple signing keys (either due to multiple concurrent key
pairs or due to key changeover). In these cases, the CA ends up with more than one
distinct key. When verifying a signature on a certificate, other applications need to
know which key was used in the signature. The extension, if present in a certificate,
enables applications (those that can use the extension) to identify the correct key to
use in situations when multiple keys exist; the extension specifies the public key to
be used to verify the signature on the certificate.
For general guidelines on setting the authority key identifier extension, see
"authorityKeyIdentifier" on page 342.
The authority key identifier extension policy in Certificate Management System
allows setting of the authority key identifier extension as defined in its X.509
definition with key identifiers. The policy enables you to specify what is to be done if
the CA certificate does not have a subject key identifier extension—whether to use
the a SHA-1 hash of the CA's subject public key information (carries the public key
and identifies the algorithm with which the key is used) or skip adding the
authority key identifier extension itself. For information on setting the subject key
identifier extension in certificates, see "SubjectKeyIdentifierExt Plug-in Module"
on page 243.
Note that PKIX and Federal PKI standards recommend against the use of
authorityCertIssuer
definition.
If enabled, the policy does the following:
•
Sets the authority key identifier extension in certificates using the CA's key
identifier in the CA's subject key identifier extension, if it exists. In the absence
of a subject key identifier extension, the policy does either of the following (as
specified by the configuration):
142
Netscape Certificate Management System Plug-ins Guide • October 2001
plug-in module implements the authority key
http://www.ietf.org/rfc/rfc2459.txt
and
authorityCertSerialNumber
) to
fields of the X.509
Advertisement
Table of Contents
