Topic
  • 5 replies
  • Latest Post - ‏2013-04-05T16:40:12Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic How to tell if certificate is signed?

‏2013-04-04T14:19:19Z |
There's a small debate going on in my company regarding certificates issued and signed by an internal CA. I'm getting the certs, and they say the certs are signed, but when I pull them up in DataPower, I can clearly see that the cert was issued by the CA, but I see no indication it is signed.

It is is signed, shouldn't I also see the "authorityKeyIdentifier" in the "Extensions" section?
Updated on 2013-04-05T16:40:12Z at 2013-04-05T16:40:12Z by SystemAdmin
  • inestlerode
    inestlerode
    166 Posts

    Re: How to tell if certificate is signed?

    ‏2013-04-04T14:53:22Z  
    All X.509 certificates are signed whether or not they have an authorityKeyIdentifier extension.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to tell if certificate is signed?

    ‏2013-04-04T15:10:16Z  
    All X.509 certificates are signed whether or not they have an authorityKeyIdentifier extension.
    OK... let me rephrase.

    If the certificate is signed by the CA certificate, shouldn't that be clear through the "authorityKeyIdentifier" extension?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to tell if certificate is signed?

    ‏2013-04-05T11:18:25Z  
    OK... let me rephrase.

    If the certificate is signed by the CA certificate, shouldn't that be clear through the "authorityKeyIdentifier" extension?
    the "issuer"-field shows who signed the certificate. The certificate can be signed by itself (ie. selfsigned) or by someone else (typically someone you would regard as a "CA")
  • inestlerode
    inestlerode
    166 Posts

    Re: How to tell if certificate is signed?

    ‏2013-04-05T16:00:10Z  
    OK... let me rephrase.

    If the certificate is signed by the CA certificate, shouldn't that be clear through the "authorityKeyIdentifier" extension?
    There is no requirement that certificates use the authorityKeyIdentifier extension. The only requirement is that the issuing CA will have its Distinguished Name present in the Issuer field. There may or may not be an authorityKeyIdentifier (this is mainly used to disambiguate which signing key a CA used when a CA uses more than one key for signing).
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to tell if certificate is signed?

    ‏2013-04-05T16:40:12Z  
    There is no requirement that certificates use the authorityKeyIdentifier extension. The only requirement is that the issuing CA will have its Distinguished Name present in the Issuer field. There may or may not be an authorityKeyIdentifier (this is mainly used to disambiguate which signing key a CA used when a CA uses more than one key for signing).
    Thank you all for the clarifications.