In self-signed certificates, Authority Key Identifier matches the Subject Key Identifier value and is not used (redundant).
How to set the authority key identifier using powershell New-SelfSignedCertificate
New-SelfSignedCertificate -Subject "CN=me.com, OU=ounit, O=company, L=state, C=country" -FriendlyName "me.com"
-HashAlgorithm SHA256 -KeyLength 4096 -KeyUsage DigitalSignature,KeyEncipherment
-NotAfter (Get-Date).AddDays(1024) -CertStoreLocation cert:\LocalMachine\My
-TextExtension @("2.5.29.19={text}CA=false") -KeyExportPolicy Exportable
I am working from the command above and trying to get this property set on the certificate :
I tried the following and got errors:
-TextExtension @("2.5.29.19={text}CA=false","2.5.29.35={2.5.29.14}")
I know that with a self signed certificate Authority Key Identifier KeyID will be assigned to the Subject Key Identifier in a self signed certificate, but what is the correct way to go about doing this. Microsoft's Documentation doesn't clearly state: https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps
From the below snippet, I was able to set the value to a string that got converted to Hex:
-TextExtension @("2.5.29.19={critical}{text}CA=0","2.5.29.35=issuer")
But how do I assign the value of the Subject Key Identifier to the Authority Key Identifier since it is a self-signed certificate?
And I haven't been able to find any specific assignments through searching.
2 answers
Sort by: Most helpful
-
-
Limitless Technology 44,431 Reputation points
2022-09-29T07:36:54.723+00:00 Hello there,
If it is a self-signed then I suppose you need not assign the value of the Subject Key Identifier to the Authority Key Identifier. The key identifier in AKI is derived from the issuer public key while the key identifier in SKI is derived from the subject public key. In the self-signed case, the subject and issuer are the same so the AKI and SKI would be the same.
The key identifier in AKI and SKI is the SHA-1 hash of the issuer and subject public key respectively.
The AKI and SKI values are mainly used in certificate path construction in order to identify the right issuer certificate.--------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–