Export (0) Print
Expand All

IX509ExtensionAuthorityKeyIdentifier interface

The IX509ExtensionAuthorityKeyIdentifier interface enables you to specify an AuthorityKeyIdentifier extension. When a certification authority (CA) has multiple signing certificates, this extension can be used to help identify which certification authority certificate was used to sign an issued certificate. The extension is placed in all certificates other than that of the root. It has the following Abstract Syntax Notation One (ASN.1) syntax. The extension value is encoded by using Distinguished Encoding Rules (DER) and included in the certificate request.


----------------------------------------------------------------------
-- AuthorityKeyIdentifier 
-- XCN_OID_AUTHORITY_KEY_IDENTIFIER2 (2.5.29.35)
----------------------------------------------------------------------

AuthorityKeyId2 ::= SEQUENCE 
{
   keyIdentifier             [0] IMPLICIT KeyIdentifier OPTIONAL,
   authorityCertIssuer       [1] IMPLICIT GeneralNames OPTIONAL,
   authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL
} 

KeyIdentifier ::= OCTETSTRING

The default certificate request behavior is to populate only the keyIdentifier field. Typically this value is a 20-byte SHA-1 hash of the public key contained in the CA signing certificate. When the CA issues a certificate, it copies the hash value into the SubjectKeyIdentifier extension of the issued certificate. Chain building software searches the available CA certificates until it matches the SubjectKeyIdentifier extension value on the issued certificate with the keyIdentifier field in the AuthorityKeyIdentifier extension on the CA certificate. For more information about the SubjectKeyIdentifier extension, see IX509ExtensionSubjectKeyIdentifier.

To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see the PKCS #10 Extensions and the CMC Extensions topics.

Members

The IX509ExtensionAuthorityKeyIdentifier interface inherits from IX509Extension. IX509ExtensionAuthorityKeyIdentifier also has these types of members:

Methods

The IX509ExtensionAuthorityKeyIdentifier interface has these methods.

MethodDescription
InitializeDecode

Initializes the extension from a DER-encoded byte array that contains the extension value.

InitializeEncode

Initializes the extension from a byte array.

 

Properties

The IX509ExtensionAuthorityKeyIdentifier interface has these properties.

PropertyDescription

AuthorityKeyIdentifier

Retrieves a byte array that contains the extension value.

 

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Header

CertEnroll.h

DLL

CertEnroll.dll

See also

Certificate Enrollment API
Extensions
IX509Extension
IX509ExtensionSubjectKeyIdentifier

 

 

Community Additions

ADD
Show:
© 2014 Microsoft