The Subject Key Id does not necessarily have to be a fingerprint. In case of CA certs it just needs to match with the Authority Key Id field of the issued certificates signed by the key in the CA cert so the CA cert can be matched easily during verification. So in theory it can be any unique OCTET STRING that identifies the key for given certificate authority. See RFC 5280 section 4.2.1.2. Tomas Mraz, OpenSSL On Wed, 2023-06-07 at 08:56 -0400, Robert Moskowitz wrote: > I am trying to figure out if the Subject Key Identifier hash method > is > carried in the certificate. An asn1dump of a "regular" cert shows: > > 276:d=4 hl=2 l= 29 cons: SEQUENCE > 278:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject > Key > Identifier > 283:d=5 hl=2 l= 22 prim: OCTET STRING [HEX > DUMP]:04144F0C1A75F4AF13DC67EC18465C020FC22A82616B > 307:d=4 hl=2 l= 31 cons: SEQUENCE > 309:d=5 hl=2 l= 3 prim: OBJECT :X509v3 > Authority > Key Identifier > 314:d=5 hl=2 l= 24 prim: OCTET STRING [HEX > DUMP]:30168014A8885F91878E4ED6AA2056C535E2212413F96BA2 > > > I cannot easily see if the hashing method is contained here. I am > assuming it is a sha2 hash of the EdDSA public keys, but how do I > tell? > > Of course I am asking as I want to use the rfc9374 DETs here. > > thanks > -- Tomáš Mráz, OpenSSL
