Reputation: 198
Certificate subject key Identifier length
I've got a certificate with the following Subject key Identifier: 34:4E:D9:3E:48:CB:17:18:63:57:A5:14:E1:DB:67:14:A7:CB:6A:F6
The x509 standard states that it should be 32bytes long, however it seems much longer to me. How can I get the 32 byte SKI?
Thank you!
Upvotes: 1
Views: 1670
Answers (1)
Reputation: 33266
The x509 standard states that it should be 32bytes long
Where do you see that? There are two recommended ways for computing Subject Key Identifier, per IETF RFC 3280, section 4.2.1.2:
(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
(2) The keyIdentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bit string bits).
So a 160-bit value, or a 64-bit value. Neither of those are 32 bytes (or 32 bits).
RFC 5280 then adds "Other methods of generating unique numbers are also acceptable.".
ITU-T X.509 (2016) doesn't provide any prescriptive guidance on creating the value... or how long it should be.
Upvotes: 4
Related Questions
- Subject Alternative Name not present in certificate
- Understanding Subject Public Key Info definition and indentation
- Getting the public key length of an X509 certificate
- How to extract subject key identifier from x509 certificate through openssl
- Openssl RSA key size
- Add an Id in the SSL certificate subject field
- How to get the Subject key Identifier from a certificate
- Get subject key identifier from certificate
- Create Self Signed Certificate with Subject Key Identifier
- TLS/PSK key length