OpenSSL 111: authorityKeyIdentifier

Viktor Dukhovni openssl-users at
Wed Mar 25 14:31:30 UTC 2020

> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann <noadsplease at> wrote:
> My expectation (maybe wrong) is that the serial and the issuer name belong to
> the same X509 certificate that the key id belongs to.

Your expectation is "wrong".  The issuer DN in the AKID is in fact
supposed to be the issuer's issuer.  It would be redundant to
encode the issuer DN there, it is already present in the EE


More information about the openssl-users mailing list