Edit

Share via

IX509ExtensionSubjectKeyIdentifier interface (certenroll.h)

  • Article

The IX509ExtensionSubjectKeyIdentifier interface enables you to specify a SubjectKeyIdentifier extension. When a subject has multiple signing certificates, this extension can be used to help identify which certificate matches a specific certification authority (CA) signing certificate. The extension is placed in all certificates. The following syntax shows the Abstract Syntax Notation One (ASN.1) structure of the extension. The extension value is encoded by using Distinguished Encoding Rules (DER) and included in the certificate request.


----------------------------------------------------------------------
-- SubjectKeyIdentifier
-- XCN_OID_SUBJECT_KEY_IDENTIFIER (2.5.29.14)
----------------------------------------------------------------------

SubjectKeyIdentifier ::= KeyIdentifier

KeyIdentifier ::= OCTETSTRING

Typically the value is a 20-byte SHA-1 hash of the public key contained in the CA signing certificate. When the CA issues a certificate, it copies the hash value into the SubjectKeyIdentifier extension. To find the end-entity certificate signed by a particular CA certificate, chain building software searches until it matches the keyIdentifier field in the AuthorityKeyIdentifier extension on the CA signing certificate with a SubjectKeyIdentifier extension value on an issued certificate. For more information, see IX509ExtensionAuthorityKeyIdentifier.

To add this extension object to a PKCS #10 request or a CMC request, you must first add it to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see the PKCS #10 Extensions and the CMC Extensions topics.

Inheritance

The IX509ExtensionSubjectKeyIdentifier interface inherits from IX509Extension. IX509ExtensionSubjectKeyIdentifier also has these types of members:

Methods

The IX509ExtensionSubjectKeyIdentifier interface has these methods.

 
IX509ExtensionSubjectKeyIdentifier::get_SubjectKeyIdentifier

Retrieves a byte array that contains the key identifier.
IX509ExtensionSubjectKeyIdentifier::InitializeDecode

Initializes the extension from a Distinguished Encoding Rules (DER) encoded byte array that contains the extension value. (IX509ExtensionSubjectKeyIdentifier.InitializeDecode)
IX509ExtensionSubjectKeyIdentifier::InitializeEncode

Initializes the extension from a byte array that contains the key identifier.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header certenroll.h

See also

Certificate Enrollment API

Extensions

IX509Extension