Ceremony: use pre-existing SKID during cross-signing (#8311)

aarongable · web-flow · commit cd59eed63d7a · 2025-07-18T13:08:32.000-07:00
When cross-signing a pre-existing root, the cross-sign's Subject Key
Identifier field needs to exactly match the existing cert's Subject Key
Identifier. Rather than recompute it, copy it directly from the
"to-be-cross-signed" cert.
diff --git a/cmd/ceremony/cert.go b/cmd/ceremony/cert.go
@@ -286,6 +286,8 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	case crossCert:
 		cert.ExtKeyUsage = tbcs.ExtKeyUsage
 		cert.MaxPathLenZero = tbcs.MaxPathLenZero
+		// The SKID needs to match the previous SKID, no matter how it was computed.
+		cert.SubjectKeyId = tbcs.SubjectKeyId
 	}
 
 	for _, policyConfig := range profile.Policies {

Original file line number	Diff line number	Diff line change
`@@ -286,6 +286,8 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc`
`286`	`286`	`case crossCert:`
`287`	`287`	`cert.ExtKeyUsage = tbcs.ExtKeyUsage`
`288`	`288`	`cert.MaxPathLenZero = tbcs.MaxPathLenZero`
	`289`	`+ // The SKID needs to match the previous SKID, no matter how it was computed.`
	`290`	`+ cert.SubjectKeyId = tbcs.SubjectKeyId`
`289`	`291`	`}`
`290`	`292`
`291`	`293`	`for _, policyConfig := range profile.Policies {`