How do these Intermediate CA Certificates do thier Certificate Chaining
Hi Guys,
Below System in Screenshot is Win 2003 Sp2 Server, with no windows updates(virtual instance)
I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track
their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?
OR is that these Certificates are indeed based upon X.509 v1 version and this version adheres no AKI / SKI (Subject key identifier)concept.
http://www.imagebam.com/image/044b0e179148643
Regards :)
March 11th, 2012 1:46am
I would have ask here.
http://social.technet.microsoft.com/Forums/en/winserversecurity/threads
Thanks
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2012 11:45am
On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote:
I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track
their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?
In the absence of an AKI or SKI value, the certificate chaining engine will
attempt to build the trust chain by using name matching. It will attempt to
find a parent certificate whose Subject name matches the Issuer name on the
certificate being validated.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
10.0 times 0.1 is hardly ever 1.0.
March 12th, 2012 2:22am
On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote:
I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track
their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?
In the absence of an AKI or SKI value, the certificate chaining engine will
attempt to build the trust chain by using name matching. It will attempt to
find a parent certificate whose Subject name matches the Issuer name on the
certificate being validated.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
10.0 times 0.1 is hardly ever 1.0.
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2012 9:13am
^^^ thanks - got it.
So indeed, AKI is specific/exclusive method for X.509 v3 whereas v1 uses the General ISSUER name matching method.
More Info
March 13th, 2012 9:05am