Introduction to CRL Extensions734 Netscape Certificate Management System Administrator’s Guide • February 2003DiscussionThe Subject Key Identifier extension identifies the public key certified by thiscertificate. This extension provides a way of distinguishing public keys if morethan one is available for a given subject name, for example after the certificate hasbeen renewed with a new key.The value of this extension should be calculated by performing a SHA-1 hash of thecertificate’s DER-encoded subjectPublicKey, as recommended by PKIX. TheSubject Key Identifier extension is used in conjunction with the Authority KeyIdentifier extension for CA certificates. If the CA certificate has a Subject KeyIdentifier extension, the key identifier in the Authority Key Identifier extension (ofthe certificate being verified) should match the key identifier of the CA’s SubjectKey Identifier extension. It is not necessary for the verifier to recompute the keyidentifier in this case.PKIX Part 1 requires this extension for all CA certificates and recommends it for allother certificates.CMS Version SupportSupported since CMS 4.1. Refer to “SubjectKeyIdentifierExt” on page 562.Introduction to CRL ExtensionsSince its initial publication, the X.509 standard for CRL formats has been amendedto include additional information within a CRL. Version 2, the latest version,allows you to add information as CRL extensions.The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs [X.509][X9.55] enable you to associate additional attributes with CRLs. The Internet X.509Public Key Infrastructure Certificate and CRL Profile (seehttp://www.ietf.org/rfc/rfc2459.txt) recommends a set of extensions to beused in CRLs. These extensions are called standard CRL extensions.
