What is an RSA “key ID”?

Question

I\'ve seen key IDs used in several places and would like to use them in my program, but I haven\'t been able to find a description of them. How are they generated?

Answer 1

In the case of Strongswan one can display what it refers to as the keyid using its command line utilities. The main point of the keyid is that it can be used to identify the actual public key contained within a certificate so that a certificate might change but by checking the keyid one can check whether the key has changed or not.

The pki command will list the keyids of an X.509 cert as follows (where the subjectPublicKeyInfo hash is the keyid):

pki --keyid --in cert.pem --type x509

Or for an RSA private key:

pki --keyid --in key.pem

The second command is ipsec which one can use to list all the certs (and config) installed in the /etc/ipsec.d subdirectories (this command will list the certificates and their corresponding keyid which is the same as their subjectPublicKeyInfo hash listed by the pki command):

ipsec listall

Also one can use openssl to generate Strongswan's idea of a keyid, which is basically the SHA1 of the actual RSA public key (the sed script just strips the '-----BEGIN PUBLIC KEY-----' and END banners) [Corrected after Micah's comment]:

openssl x509 -in cert.pem -noout -pubkey | sed 's/--.*$//g' | base64 --decode | sha1sum