How to set the authority key identifier using powershell New-SelfSignedCertificate

tks tman 1 Reputation point
2022-09-28T09:36:52.837+00:00
New-SelfSignedCertificate -Subject "CN=me.com, OU=ounit, O=company, L=state, C=country" -FriendlyName "me.com"   
     -HashAlgorithm SHA256 -KeyLength 4096 -KeyUsage DigitalSignature,KeyEncipherment   
       -NotAfter (Get-Date).AddDays(1024)  -CertStoreLocation cert:\LocalMachine\My   
        -TextExtension @("2.5.29.19={text}CA=false") -KeyExportPolicy Exportable  

I am working from the command above and trying to get this property set on the certificate :

QczJw.png

I tried the following and got errors:

-TextExtension @("2.5.29.19={text}CA=false","2.5.29.35={2.5.29.14}")  

I know that with a self signed certificate Authority Key Identifier KeyID will be assigned to the Subject Key Identifier in a self signed certificate, but what is the correct way to go about doing this. Microsoft's Documentation doesn't clearly state: https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps

From the below snippet, I was able to set the value to a string that got converted to Hex:

-TextExtension @("2.5.29.19={critical}{text}CA=0","2.5.29.35=issuer")  

But how do I assign the value of the Subject Key Identifier to the Authority Key Identifier since it is a self-signed certificate?

And I haven't been able to find any specific assignments through searching.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
40,152 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,861 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,574 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vadims Podāns 9,126 Reputation points MVP
    2022-09-28T10:49:03.597+00:00

    In self-signed certificates, Authority Key Identifier matches the Subject Key Identifier value and is not used (redundant).


  2. Limitless Technology 44,431 Reputation points
    2022-09-29T07:36:54.723+00:00

    Hello there,

    If it is a self-signed then I suppose you need not assign the value of the Subject Key Identifier to the Authority Key Identifier. The key identifier in AKI is derived from the issuer public key while the key identifier in SKI is derived from the subject public key. In the self-signed case, the subject and issuer are the same so the AKI and SKI would be the same.

    The key identifier in AKI and SKI is the SHA-1 hash of the issuer and subject public key respectively.
    The AKI and SKI values are mainly used in certificate path construction in order to identify the right issuer certificate.

    --------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.