CA/Application Instructions: Difference between revisions

The standards allow for two different CA certs with the same subject and with overlapping validities to have different keys (used for key rollover). The trick is if you pick the wrong CA cert when you are validating your chain, you will fail the signature validation. Because of this, CA's will often put two extensions in their certificates: one called the "Subject Key ID Extension", which is placed in the child, and the other is the "Certificate Authority Key Identifier", placed in the parent. These values are a random value that is unique for each key the CA uses. The child's Subject KeyID must match the parent's Certificate Authority Key Identifier if the latter exists. The standard allows for a way to generate a Auth Key ID from a hash, so it's not strictly necessary to include the Auth Key ID in the parent certificate, but it's good practice. NSS will use Subject Key ID to filter out certificates without the matching Auth Key ID automatically. If the CA issues it's certificates with these extensions, there isn't a problem with 2 certs with the same subject but different keys (or even key length).