Thank you Victor. Can you point me to the rfc that defines this? Best Am 25.03.2020 um 15:32 schrieb Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>: > > >> >> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann <noadsplease@xxxxxx> wrote: >> >> My expectation (maybe wrong) is that the serial and the issuer name belong to >> the same X509 certificate that the key id belongs to. > > Your expectation is "wrong". The issuer DN in the AKID is in fact > supposed to be the issuer's issuer. It would be redundant to > encode the issuer DN there, it is already present in the EE > certificate. > > -- > Viktor. >
