Authority Key Identifier

if a certificate has an "Authority Key Identifier" (RFC5280, ... and if it has a value for the "authorityCertIssuer" ... how should this look like? Is this the same as the CN-Value of the subject of the CA's certificate? Or how should this value be built? (in order to be accepted by todays browsers)

According to the RFC you've mentioned the value should be a GeneralNames, which seems to be the same as what a SAN should be if you look at

That said, why are you asking? What does this have to do with ACME client development? I also don't think this is a common X.509 extension? Not by Let's Encrypt in any case..


I'm asking because of a problem that I have with non-accepted certificates (after the latest updates of Chrome/Edge) and I try to find the problem by verifying every single value in those certificates to exclude it as the cause... and yes... sometimes I go a little bit deeper than needed.

Can't you just remove the "Authority Key Identifier" part? As Let's Encrypt doesn't use it, it doesn't look like it's mandatory anyway. That said, I'm not really familiar with its purpose to begin with, so perhaps you have very good reasons to include it.


No, that would be a distinguished name (DN).

There doesn't seem to be any clear guidance on this. In general, I would assume that this is a CA-choosen general name (DNS Name, IP Address, URL...). This field is only ever used together with the serial number (see appendix-A.2, RFC 5280), so any implementation using it will likely care for the serial most

-- authorityCertIssuer and authorityCertSerialNumber MUST both be present or both be absent

In general: They don't. Chrome validates that the data contained them conforms to specification (net/cert/pki/ - chromium/src - Git at Google), but then never looks at it again. It does use the keyIdentifier to quickly find and order issuers (, as do many other implementations.

The CA/Browser Forum Baseline Requirements explicitly forbid the usage of authorityCertIssuer and authorityCertSerialNumber in certificates. Therefore, it is very unlikely that any modern browser takes more than a very brief look at them. Omitting them is the way to go, if you're your own CA.

Field Description
keyIdentifier MUST be present. MUST be identical to the
subjectKeyIdentifier field of the Precertificate
Signing CA Certificate
authorityCertIssuer MUST NOT be present
authorityCertSerialNumber MUST NOT be present


-- authorityCertIssuer and authorityCertSerialNumber MUST both be present or both be absent

that was the problem... I had for some reason certificates with just one value present

thank you


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.