Why does Windows windows suggest/have completely different (and seemingly valid) intermediate CA certs for a given leaf cert?

Question

Is it normal for multiple intermediate CA certs to have the same Subject Key Identifier? Why does this happen? I always thought that this was a unique attribute.

I have come across some odd cases where the intermediate CA that Windows suggests (under the Certification Path section of Crypto Shell Extensions) belongs to a different chain sequence than the one that the certificate authority provided.

For example, here are two GoDaddy Intermediates. "Issued To:" is the same but "Issued By:" is different:

If I check the Subject Key Identifier for both, they're the same:

One seems to be a root but the other is an intermediate:

Windows is pre-loaded with one but the CA (GoDaddy in this case) gave me the other.

So, why do these exist and what is the difference between them? Neither appear to be revoked and I didn't manually add any of these intermediate CA certs to my Windows trustStore.

Answer 1

You often find certificates with the same subject, public key and subject key identifier, but these differ usually in the signature algorithm or the issuer. Since the relevant details for chain validation are the same each of these can be used to built the trust chain, which often makes multiple trust chains possible. The hope is that at least one of these trust chains can be built for all relevant clients.

Such "duplicate" certificates happen if a certificate get re-signed with a new signature algorithm (i.e. move from SHA-1 to SHA-256). It is also done for new CA like Let's Encrypt which are not inside the trust store of all OS/browsers when they start. Thus they create two similar certificates: one self-signed for inclusion in the trust store and another one cross-signed by an already trusted CA. For an example of such cross signing the the description of the certificates used by let's encrypt.