Hi Danny,
The AKI extension contains 3 fields:
* keyIdentifier, which is a sequence of bytes. You can get the bytes from keyIdentifier.p with length keyIdentifier.len. * authorityCertIssuer, which is a sequence of names (like in a Subject Alternative Name extension). You should be able to iterate through this sequence and call `mbedtls_x509_parse_subject_alt_name()` on each name to get the information out. * authorityCertSerialNumber, which is an integer. You can call mbedtls_asn1_get_int() on the underlying buffer to convert this to an integer
These are all wrapped in the mbedtls_asn1_buf structure, which contains a tag (the type), a len (the length) and p (a pointer to the actual data). The cert issuer is a sequence of these values.
Hopefully that gives you enough to get started.
Many thanks, David Mbed TLS developer ________________________________ From: Danny Backx via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 19 June 2026 16:36 To: Francois Mace mace.francois@gmail.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Re: extract AKI info from cert via mbedtls ?
Hi François,
Thanks for responding. Apologies for not including context. I'm using esp-idf v6 which includes mbedtls 4.0. My "application" is a re-usable library that obtains certificates using ACME.
I saw the field in the class definition. I get from your reply it's ok for me to use it.
So let me ask a noob question. How do I use this to produce strings in C or C++ code ? The mbedtls_x509_authority structure consists of buffers in something other than such C/C++ string formats.
Danny
On 6/19/26 13:22, Francois Mace wrote: Hello Danny,
What is the version of mbed TLS you are using?
I think latest version expose AKI with
mbedtls_x509_authority authority_key_id;
as a member of the mbedtls_x509_crt class.
Best regards,
François
Le jeu. 18 juin 2026 à 18:05, Danny Backx via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> a écrit :
Hi,
How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ?
I could parse the certificate file itself, I guess, but isn't that what mbedtls does?
Thanks,
Danny
https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1
-- Danny Backx - dannybackx@telenet.bemailto:dannybackx@telenet.be -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.orgmailto:mbed-tls-leave@lists.trustedfirmware.org -- Danny Backx - dannybackx@telenet.bemailto:dannybackx@telenet.be