jspωiki
AuthorityKeyIdentifier

Overview#

AuthorityKeyIdentifier is defined in RFC 5280 as a X.509 Certificate Extension that provides a means of identifying the Public Key corresponding to the Private Key used to sign a certificate.

AuthorityKeyIdentifier extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number.

The keyIdentifier field of the AuthorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction.
There is one exception; where a CA distributes its public key in the form of a "self-signed" certificate, the AuthorityKeyIdentifier MAY be omitted. The signature on a self-signed certificate is generated with the private key associated with the certificate's subject public key. (This proves that the issuer possesses both the public and private keys.) In this case, the subject and authority key identifiers would be identical, but only the subject key identifier is needed for certification path building.

The value of the keyIdentifier field SHOULD be derived from the Public Key used to verify the certificate's signature or a method that generates unique values.

More Information#

There might be more information for this subject on one of the following: