none
How do these Intermediate CA Certificates do thier Certificate Chaining

    Question

  • Hi Guys,

    Below System in Screenshot is Win 2003 Sp2 Server, with no windows updates(virtual instance)

    I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?

    OR is that these Certificates are indeed based upon X.509 v1 version and this version adheres no AKI / SKI (Subject key identifier)concept.

    http://www.imagebam.com/image/044b0e179148643

    Regards :)

    • Moved by Bruce-Liu Monday, March 12, 2012 5:46 AM (From:General)
    Saturday, March 10, 2012 10:46 PM

Answers

  • On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote:

    I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?

    In the absence of an AKI or SKI value, the certificate chaining engine will
    attempt to build the trust chain by using name matching. It will attempt to
    find a parent certificate whose Subject name matches the Issuer name on the
    certificate being validated.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    10.0 times 0.1 is hardly ever 1.0.

    • Marked as answer by Harmandeep Tuesday, March 13, 2012 12:57 PM
    Monday, March 12, 2012 6:13 AM

All replies

  • I would have ask here.
    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads


    Thanks


    Sunday, March 11, 2012 8:45 AM
  • On Sat, 10 Mar 2012 22:46:55 +0000, Harmandeep wrote:

    I wanna confirm how these two Verisign intermediate CAs complete their Certificate chaining ? because in these certificates(albeit they are expired) have no AKI (Authority key identifier extension/attribute) set in them --- so howcome will they track their parent CA - who indeed issue them Cert - and complete their Certificate chaining ?

    In the absence of an AKI or SKI value, the certificate chaining engine will
    attempt to build the trust chain by using name matching. It will attempt to
    find a parent certificate whose Subject name matches the Issuer name on the
    certificate being validated.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    10.0 times 0.1 is hardly ever 1.0.

    • Marked as answer by Harmandeep Tuesday, March 13, 2012 12:57 PM
    Monday, March 12, 2012 6:13 AM
  • ^^^ thanks - got it.

    So indeed, AKI is specific/exclusive method for X.509 v3 whereas v1 uses the General ISSUER name matching method.

    Covered Completely Here



    • Edited by Harmandeep Thursday, February 21, 2013 9:47 AM Update
    Tuesday, March 13, 2012 12:57 PM