"Authority Key Identifier Extension is malformed" when importing CA-signed certificate to Azure Key Vault

Question

When I try to import a CA-signed certificate to Azure Key Vault in both .pfx or .pem format, I'm getting the following error:

CODE BadParameter
MESSAGE The specified X.509 certificate content is invalid. Error: x.509 authority key identifier extension is malformed..

I have checked the certificate using openssl x509 -in certificate.pfx -text -noout and the authority key identifier extension values are different from each other.
So I would like to understand, is it necessary that both Subject Key Identifier & Authority Key Identifier values should be same?

Answer 1

Hi @Malhar

Thank you for posting this in Microsoft Q&A.

I understand that you are trying import CA-signed certificate to Azure Key Vault, but you get an error "The specified X.509 certificate content is invalid. Error: x.509 authority key identifier extension is malformed".

Can you confirm which tool you have used to generate self-signed CA?

If you used OpenSSL or another tool to generate self-signed CA, you need to add the public certificate for that CA to the X509Store.

I would like to understand, is it necessary that both Subject Key Identifier & Authority Key Identifier values should be same?

In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension of certificates issued by the subject of this certificate.

For more information about Subject Key Identifier & Authority Key Identifier

Authority Key Identifier Subject Key Identifier

Hopes this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.