How to set AKI and SKI extensions in certificates created through RSA Certificate Manager API
Originally Published: 2006-01-17
Article Number
Applies To
Issue
There is no example available in RSA Certificate Manager 6.6 API sample code or documentation for guidance on how to set the following certificate extensions:
AuthorityKeyIdentifier (AKI)
Subject Key Identifier (SKI)
Resolution
// define OID for SKI extension
#define EXTENSION_SUB_KEY_ID_OID "2.5.29.14"
// Add a new function to construct AKI extension
XudaRC BuildAKIExtension(XudaSession session, XANY reqObject)
{
XANY xanyAKIExt = NULL;
XudaRC rc = XrcOK;
XANY xanyHashVal = NULL;
XANY caObject = NULL;
XANY spki = NULL;
XANY pubKeyBits = NULL;
int isCritical = 0;
XudaSession digestSession;
if(juriID != NULL)
{
rc = XudaSetResourceValue(session, XresJURISDICTION, XudaXPTUTF8Temp(juriID), NULL);
if (rc != XrcOK)
{
printf("XudaSetResourceValue for XresJURISDICTION failed, errno %d\n", rc);
exit(0);
}
/* get the xuda_ca object associated with jurisidction */
rc = XudaJurisdictionGetCA(session, &caObject);
if (rc != XrcOK)
{
printf("XudaJurisdictionGetCA() failed, errno %d\n", rc);
exit(0);
}
}
else
{
printf("juriID missing - it must be set in the defs file\n");
exit(0);
}
rc = XudaCertificateGetComponents(caObject, NULL, NULL, NULL, NULL, NULL, &spki, NULL);
if (rc == XrcOK)
{
rc = XudaGetSPKIKeyBits(spki, &pubKeyBits);
}
if (rc == XrcOK)
{
rc = XudaInit(&digestSession, XresCRYPTODIGEST, XudaCryptoSHA1Digest, NULL);
}
if (rc == XrcOK)
{
rc = XudaDigest(digestSession, pubKeyBits, &xanyHashVal);
}
XudaEndSession(digestSession);
if (rc != XrcOK)
{
printf("Unable to generate a hash for AKI\n");
exit(0);
}
/* now create the AKI extension */
rc = XudaCreateAuthorityKeyIdentifierExtension(isCritical, xanyHashVal, NULL, NULL, &xanyAKIExt);
if (rc != XrcOK) return rc;
rc = XudaSetField(reqObject, "extensions", xanyAKIExt);
// memory cleanup
if (xanyHashVal != NULL) XudaFree(xanyHashVal);
if (xanyAKIExt != NULL) XudaFree(xanyAKIExt);
if (caObject != NULL) XudaFree(caObject);
if (spki != NULL) XudaFree(spki);
if (pubKeyBits != NULL) XudaFree(pubKeyBits);
return rc;
} // end of BuildAKIExtension
// Add a new function to construct SKI extension
XudaRC BuildSKIExtension(XANY reqObject)
{
XANY xanySKIExt = NULL;
XudaRC rc = XrcOK;
XANY xanyHashVal = NULL;
XANY spkiList = NULL;
XANY spkiFirst = NULL;
char *spkiPEM = NULL;
XANY spki = NULL;
XANY pubKeyBits = NULL;
int isCritical = 0;
XudaSession digestSession;
if(reqObject == NULL)
{
printf("request object not set - unable to proceed with SKI extension\n");
exit(0);
}
// retrieve public key from the request object
rc = XudaGetField(reqObject, "spk", &spkiList);
if (rc != XrcOK)
{
printf("Could not retrieve 'spk' attribute from request object, errno %d\n", rc);
exit(0);
}
/* get the first item from the list (since 'spk' is multivalued) */
rc = XudaXPTListFirst(spkiList, &spkiFirst);
if (rc != XrcOK)
{
printf("Unable to extract first item from multi-valued 'spk' attribute, errno %d\n", rc);
exit(0);
}
rc = XudaXPTUTF8Get(spkiFirst, &spkiPEM);
if (rc != XrcOK)
{
printf("Unable to construct UTF8 string from 'spk', errno %d\n", rc);
exit(0);
}
rc = XudaXPTOctetsFromPem(&spki, spkiPEM);
if (rc != XrcOK)
{
printf("Unable to convert PEM spk to Octects, errno %d\n", rc);
exit(0);
}
rc = XudaGetSPKIKeyBits(spki, &pubKeyBits);
if (rc == XrcOK)
{
rc = XudaInit(&digestSession, XresCRYPTODIGEST, XudaCryptoSHA1Digest, NULL);
}
if (rc == XrcOK)
{
rc = XudaDigest(digestSession, pubKeyBits, &xanyHashVal);
}
XudaEndSession(digestSession);
if (rc != XrcOK)
{
printf("Unable to generate a hash for SKI\n");
exit(0);
}
// now create the SKI extension
rc = XudaCreateOctetsExtension(EXTENSION_SUB_KEY_ID_OID, isCritical, xanyHashVal, &xanySKIExt);
if (rc != XrcOK) return rc;
rc = XudaSetField(reqObject, "extensions", xanySKIExt);
// memory cleanup
if (xanyHashVal != NULL) XudaFree(xanyHashVal);
if (xanySKIExt != NULL) XudaFree(xanySKIExt);
if (spkiList != NULL) XudaFree(spkiList);
if (spkiFirst != NULL) XudaFree(spkiFirst);
if (spki != NULL) XudaFree(spki);
if (pubKeyBits != NULL) XudaFree(pubKeyBits);
if (spkiPEM != NULL) XudaMEMFREE(spkiPEM);
return rc;
} // end of BuildSKIExtension
// Update the existing function BuildExtensions() definition to also pass
// the 'session' variable (to be used by BuildAKIExtension() to generate AKI extension)
XudaRC BuildExtensions(XudaSession session, XANY reqObject)
{
...
// add the following calls to set AKI/SKI extensions
rc = BuildAKIExtensionGood(session, reqObject);
if (rc!=XrcOK) return rc;
rc = BuildSKIExtensionGood(reqObject);
if (rc!=XrcOK) return rc;
...
}
// Remember to update BuildRequest() so BuildExtensions() is called appropriately
XANY BuildRequest(XudaSession session)
{
...
rc = BuildExtensions(session, spReqObj);
...
}
Related Articles
How to set up the REST RSA SecurID Authentication API for Authentication Manager 8.2 SP1 Number of Views How to generate certificates through RCM-API with extensions enforced through a profile? Number of Views What is process to change the nCipher Operator Card Set (OCS) in RSA Certificate Manager? Number of Views Delete unwanted Certificate Signing Requests (CSR) from the RSA Authentication Manager Operations Console Certificate Mana… Number of Views How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replaceme… Number of Views
Trending Articles
RSA Authentication Manager Patch Updates RSA Authentication Manager 8.9 Release Notes (January 2026) Unification is failing at step 8 on "AVUSER.ROLE_MANAGEMENT_PKG", line 2469 in RSA Governance & Lifecycle RSA Announces the Release of RSA MFA Agent 2.5 for Microsoft Windows Downloading RSA Authentication Manager license files or RSA Software token seed records
Don't see what you're looking for?
