Hi Guys, Below System in Screenshot is Win 2003 Sp2 Server, with no windows updates(virtual instance) I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ? OR is that these Certificates are indeed based upon X.509 v1 version and this version adheres no AKI / SKI (Subject key identifier)concept. http://www.imagebam.com/image/044b0e179148643 Regards :)

I would have ask here. http://social.technet.microsoft.com/Forums/en/winserversecurity/threads Thanks

On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote: I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ? In the absence of an AKI or SKI value, the certificate chaining engine will attempt to build the trust chain by using name matching. It will attempt to find a parent certificate whose Subject name matches the Issuer name on the certificate being validated. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca 10.0 times 0.1 is hardly ever 1.0.

On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote: I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ? In the absence of an AKI or SKI value, the certificate chaining engine will attempt to build the trust chain by using name matching. It will attempt to find a parent certificate whose Subject name matches the Issuer name on the certificate being validated. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca 10.0 times 0.1 is hardly ever 1.0.

^^^ thanks - got it. So indeed, AKI is specific/exclusive method for X.509 v3 whereas v1 uses the General ISSUER name matching method. More Info