Table of Contents
Advertisement
Standard X.509 v3 Certificate Extensions
OCSP signing certificates and CA signing certificates should only use the
authorityInfoAccess
has been configured to verify them. For example, if there is a hierarchy of
responders, a subordinate responder may point to its parent for verification. If a
CA signing certificate points to an OCSP responder, that responder's signing
certificate should be signed by a different CA (for example, the CA that issued the
CA signing certificate in question).
Microsoft Recommendation
Microsoft products do not currently use on-line revocation checking.
authorityKeyIdentifier
OID
2.5.29.35
Reference
http://www.ietf.org/rfc/rfc2459.txt
Criticality
This extension is always noncritical and is always evaluated.
Discussion
The Authority Key Identifier extension identifies the public key corresponding to
the private key used to sign a certificate. This extension is useful when an issuer
has multiple signing keys (for example, due to CA certificate renewal).
The extension consists of either or both of the following:
•
an explicit key identifier (
•
an issuer (
(
If the
matching
authorityCertSerialNumber
correct certificate by
If this extension is not present, then the issuer name alone is used to identify the
issuer certificate.
340
Netscape Certificate Management System Plug-Ins Guide • March 2002
extension to point to an OCSP responder if that responder
authorityCertIssuer
authorityCertSerialNumber
field exists, then it is used to select the certificate with a
keyIdentifier
subjectKeyIdentifier
issuer
4.2.1.1
field)
keyIdentifier
field) and serial number
field) identifying a certificate
extension. If the
fields are present, then they are used to identify the
and
.
serialNumber
authorityCertIssuer
and
Advertisement
Table of Contents
