Subject Key Identifier hash method

Tomas Mraz tomas at
Wed Jun 7 14:35:45 UTC 2023

The Subject Key Id does not necessarily have to be a fingerprint. In
case of CA certs it just needs to match with the Authority Key Id field
of the issued certificates signed by the key in the CA cert so the CA
cert can be matched easily during verification.

So in theory it can be any unique OCTET STRING that identifies the key
for given certificate authority. 

See RFC 5280 section

Tomas Mraz, OpenSSL

On Wed, 2023-06-07 at 08:56 -0400, Robert Moskowitz wrote:
> I am trying to figure out if the Subject Key Identifier hash method
> is 
> carried in the certificate.  An asn1dump of a "regular" cert shows:
>    276:d=4  hl=2 l=  29 cons:     SEQUENCE
>    278:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3 Subject
> Key 
> Identifier
>    283:d=5  hl=2 l=  22 prim:      OCTET STRING      [HEX 
> DUMP]:04144F0C1A75F4AF13DC67EC18465C020FC22A82616B
>    307:d=4  hl=2 l=  31 cons:     SEQUENCE
>    309:d=5  hl=2 l=   3 prim:      OBJECT            :X509v3
> Authority 
> Key Identifier
>    314:d=5  hl=2 l=  24 prim:      OCTET STRING      [HEX 
> DUMP]:30168014A8885F91878E4ED6AA2056C535E2212413F96BA2
> I cannot easily see if the hashing method is contained here.  I am 
> assuming it is a sha2 hash of the EdDSA public keys, but how do I
> tell?
> Of course I am asking as I want to use the rfc9374 DETs here.
> thanks

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list