Authority Key Identifier

meiru · July 30, 2023, 4:07pm

if a certificate has an "Authority Key Identifier" (RFC5280, 4.2.1.1) ... and if it has a value for the "authorityCertIssuer" ... how should this look like? Is this the same as the CN-Value of the subject of the CA's certificate? Or how should this value be built? (in order to be accepted by todays browsers)

Osiris · July 30, 2023, 4:21pm

According to the RFC you've mentioned the value should be a GeneralNames, which seems to be the same as what a SAN should be if you look at 4.2.1.6.

That said, why are you asking? What does this have to do with ACME client development? I also don't think this is a common X.509 extension? Not by Let's Encrypt in any case..

meiru · July 30, 2023, 4:51pm

I'm asking because of a problem that I have with non-accepted certificates (after the latest updates of Chrome/Edge) and I try to find the problem by verifying every single value in those certificates to exclude it as the cause... and yes... sometimes I go a little bit deeper than needed.

Osiris · July 30, 2023, 5:01pm

Can't you just remove the "Authority Key Identifier" part? As Let's Encrypt doesn't use it, it doesn't look like it's mandatory anyway. That said, I'm not really familiar with its purpose to begin with, so perhaps you have very good reasons to include it.

Nummer378 · July 30, 2023, 5:08pm

No, that would be a distinguished name (DN).

There doesn't seem to be any clear guidance on this. In general, I would assume that this is a CA-choosen general name (DNS Name, IP Address, URL...). This field is only ever used together with the serial number (see appendix-A.2, RFC 5280), so any implementation using it will likely care for the serial most

-- authorityCertIssuer and authorityCertSerialNumber MUST both be present or both be absent

In general: They don't. Chrome validates that the data contained them conforms to specification (https://chromium.googlesource.com/chromium/src/+/main/net/cert/pki/parse_certificate.cc#881), but then never looks at it again. It does use the keyIdentifier to quickly find and order issuers (https://github.com/chromium/chromium/blob/c22f5157e2950d546f6bcade76cf24858e9f31df/net/cert/pki/path_builder.cc#L83), as do many other implementations.

The CA/Browser Forum Baseline Requirements explicitly forbid the usage of authorityCertIssuer and authorityCertSerialNumber in certificates. Therefore, it is very unlikely that any modern browser takes more than a very brief look at them. Omitting them is the way to go, if you're your own CA.

Field Description
keyIdentifier MUST be present. MUST be identical to the
subjectKeyIdentifier field of the Precertificate
Signing CA Certificate
authorityCertIssuer MUST NOT be present
authorityCertSerialNumber MUST NOT be present

meiru · July 30, 2023, 8:02pm

-- authorityCertIssuer and authorityCertSerialNumber MUST both be present or both be absent

that was the problem... I had for some reason certificates with just one value present

thank you

system · August 29, 2023, 8:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.