I'm creating a self signed certificate using openssl.
I created a key pair using the openssl function RSA_generate_key()
:
key = RSA_generate_key(1024, 65537, null, 0);
Now, I want to generate the Authority Key Identifier for the self signed certificate.
The RFC says:
The value of the keyIdentifier field SHOULD be derived from the public key used to verify the certificate's signature or a method that generates unique values. Two common methods for generating key identifiers from the public key are described in Section 4.2.1.2.
Okay. Let's have a look. In the mentioned section 4.2.1.2, the description says:
(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
(2) The keyIdentifier is composed of a four-bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
If I'd want to use version (1): how do I obtain the data to be hashed in order to create a valid Authority Key Identifier?
First you need to create your certificate. Then add the authority key identifier extensions has following :
add_ext(YourX509SelfSignedCert, NID_authority_key_identifier, "keyid,issuer");
you could also only use keyid, There is an good article about which one to use here