Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
5 replies Latest Post - ‏2013-04-05T16:40:12Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic How to tell if certificate is signed?

‏2013-04-04T14:19:19Z |
There's a small debate going on in my company regarding certificates issued and signed by an internal CA. I'm getting the certs, and they say the certs are signed, but when I pull them up in DataPower, I can clearly see that the cert was issued by the CA, but I see no indication it is signed.

It is is signed, shouldn't I also see the "authorityKeyIdentifier" in the "Extensions" section?
Updated on 2013-04-05T16:40:12Z at 2013-04-05T16:40:12Z by SystemAdmin
  • inestlerode
    inestlerode
    166 Posts
    ACCEPTED ANSWER

    Re: How to tell if certificate is signed?

    ‏2013-04-04T14:53:22Z  in response to SystemAdmin
    All X.509 certificates are signed whether or not they have an authorityKeyIdentifier extension.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: How to tell if certificate is signed?

      ‏2013-04-04T15:10:16Z  in response to inestlerode
      OK... let me rephrase.

      If the certificate is signed by the CA certificate, shouldn't that be clear through the "authorityKeyIdentifier" extension?
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: How to tell if certificate is signed?

        ‏2013-04-05T11:18:25Z  in response to SystemAdmin
        the "issuer"-field shows who signed the certificate. The certificate can be signed by itself (ie. selfsigned) or by someone else (typically someone you would regard as a "CA")
      • inestlerode
        inestlerode
        166 Posts
        ACCEPTED ANSWER

        Re: How to tell if certificate is signed?

        ‏2013-04-05T16:00:10Z  in response to SystemAdmin
        There is no requirement that certificates use the authorityKeyIdentifier extension. The only requirement is that the issuing CA will have its Distinguished Name present in the Issuer field. There may or may not be an authorityKeyIdentifier (this is mainly used to disambiguate which signing key a CA used when a CA uses more than one key for signing).
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: How to tell if certificate is signed?

          ‏2013-04-05T16:40:12Z  in response to inestlerode
          Thank you all for the clarifications.