Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
How do these Intermediate CA Certificates do thier Certificate Chaining

الإجابة How do these Intermediate CA Certificates do thier Certificate Chaining

  • Saturday, March 10, 2012 10:46 PM
     
     
    Sign In to Vote
    0

    Hi Guys,

    Below System in Screenshot is Win 2003 Sp2 Server, with no windows updates(virtual instance)

    I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?

    OR is that these Certificates are indeed based upon X.509 v1 version and this version adheres no AKI / SKI (Subject key identifier)concept.

    http://www.imagebam.com/image/044b0e179148643

    Regards :)

     

All Replies

  • Sunday, March 11, 2012 8:45 AM
     
     
    Sign In to Vote
    0
    I would have ask here.
    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads


    Thanks


     
  • Monday, March 12, 2012 6:13 AM
     
     Answered
    Sign In to Vote
    1

    On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote:

    I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?

    In the absence of an AKI or SKI value, the certificate chaining engine will
    attempt to build the trust chain by using name matching. It will attempt to
    find a parent certificate whose Subject name matches the Issuer name on the
    certificate being validated.

    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    10.0 times 0.1 is hardly ever 1.0.

    • Marked As Answer by Harmandeep Tuesday, March 13, 2012 12:57 PM
    •  
     
  • Tuesday, March 13, 2012 12:57 PM
     
     
    Sign In to Vote
    0

    ^^^ thanks - got it.

    So indeed, AKI is specific/exclusive method for X.509 v3 whereas v1 uses the General ISSUER name matching method.

    Covered Completely Here



    • Edited by Harmandeep Thursday, February 21, 2013 9:47 AM Update
    •