|
Description
This extension is used to keep a «Fingerprint»
of issuer's public key in order to distinguish different
certificates which belong to the same issuer.
The following paragraph is taken from RFC 2459 (Housley, et. al.), part 4.2.1.1:
«The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used to
sign a certificate. This extension is used where an issuer has
multiple signing keys (either due to multiple concurrent key pairs or
due to changeover). The identification may be based on either the
key identifier (the subject key identifier in the issuer's
certificate) or on the issuer name and serial number.
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate chain building. There is one exception; where a CA
distributes its public key in the form of a "self-signed"
certificate, the authority key identifier may be omitted. In this
case, the subject and authority key identifiers would be identical.
The value of the keyIdentifier field SHOULD be derived from the
public key used to verify the certificate's signature or a method
that generates unique values.»
This extension MUST NOT be marked critical.
|
