Bouncy Castle developers and prospective developers:

Using Bouncy Castle C#, I've generated a keypair, and signed the
certificate. Microsoft Windows (Certificat Manager) could not, however,
recognize which in-house certification authority signed the generated
certificate. To find the correct certification authority among the
Trusted Root Certification Authorities, I needed to manually add an
authority key identifier, as documented by Roger Lipscombe:

var authorityKeyIdentifier = new
AuthorityKeyIdentifierStructure(issuerCertificate);
certificateGenerator.AddExtension(
        X509Extensions.AuthorityKeyIdentifier.Id, false,
authorityKeyIdentifier);

See http://blog.differentpla.net/blog/2013/03/20/bouncy-castle-missing-
certificate-attributes/

The authority key identifier is extension is mandated by RFC 5280.
        https://tools.ietf.org/html/rfc5280#section-4.2.1.1

Considering that the extension field is mandated both by IETF and by a
mainstream implementation, Bouncy Castle should warn if a certificate
is generated without an authority key identifier—or better yet add it
automatically.

It would have saved me a week of debugging in the dark if either
Windows or Bouncy Castle would have informed me that I was to add an
authority key identifier. In retrospect, the documentation for first
version of the Java BC API does mention how to add an authority key
identifier. But a run-time warning would have been incredibly nice to
have.

An assertion of similar nature is in
crypto/src/asn1/pkcs/CertificationRequestInfo.cs:62,87. The function
CertificateRequestInfo (and overloads) would be a natural place for
emitting a warning. I don't know how to check if the authority key
identifier has been added, so I can't offer a patch myself. But it
should be a simple if-statement in each of the overloads.


In case anyone else stumbled on the same detail,
        Bjartur Thorlacius

Reply via email to