If no information exists in the AKI, or if the AKI does not exist in the evaluated certificate, the certificate chaining engine uses a name match to find the issuing CA's certificate. To perform name matching, the certificate chaining engine matches the contents of the evaluated certificate's Issuer field to the Subject field of the issuing CA's certificate. (See Figure 9-3.)
Note The name matching process is case sensitive.
The right certificate's Issuer field contains the same subject name as the left certificate's Subject field.
Note Multiple matches are possible when name matching is used to build a certificate chain. This scenario occurs when the CA certificate is renewed with either the same key pair or a new key pair. When the CA certificate is renewed, the Subject of the CA certificate does not change.
Was this article helpful?