Hi,
How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ?
I could parse the certificate file itself, I guess, but isn't that what mbedtls does?
Thanks,
Danny
https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1
Hello Danny,
What is the version of mbed TLS you are using?
I think latest version expose AKI with
mbedtls_x509_authority authority_key_id;
as a member of the mbedtls_x509_crt class.
Best regards,
François
Le jeu. 18 juin 2026 à 18:05, Danny Backx via mbed-tls < mbed-tls@lists.trustedfirmware.org> a écrit :
Hi,
How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ?
I could parse the certificate file itself, I guess, but isn't that what mbedtls does?
Thanks,
Dannyhttps://www.rfc-editor.org/info/rfc5280#section-4.2.1.1
-- Danny Backx - dannybackx@telenet.be -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
Hi François,
Thanks for responding. Apologies for not including context. I'm using esp-idf v6 which includes mbedtls 4.0. My "application" is a re-usable library that obtains certificates using ACME.
I saw the field in the class definition. I get from your reply it's ok for me to use it.
So let me ask a noob question. How do I use this to produce strings in C or C++ code ? The mbedtls_x509_authority structure consists of buffers in something other than such C/C++ string formats.
Danny
On 6/19/26 13:22, Francois Mace wrote:
Hello Danny,
What is the version of mbed TLS you are using?
I think latest version expose AKI with
mbedtls_x509_authorityauthority_key_id;
as a member of the |mbedtls_x509_crt| class.
Best regards,
François
Le jeu. 18 juin 2026 à 18:05, Danny Backx via mbed-tls mbed-tls@lists.trustedfirmware.org a écrit :
Hi, How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ? I could parse the certificate file itself, I guess, but isn't that what mbedtls does? Thanks, Danny https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1 -- Danny Backx - dannybackx@telenet.be -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
Hi Danny,
The AKI extension contains 3 fields:
* keyIdentifier, which is a sequence of bytes. You can get the bytes from keyIdentifier.p with length keyIdentifier.len. * authorityCertIssuer, which is a sequence of names (like in a Subject Alternative Name extension). You should be able to iterate through this sequence and call `mbedtls_x509_parse_subject_alt_name()` on each name to get the information out. * authorityCertSerialNumber, which is an integer. You can call mbedtls_asn1_get_int() on the underlying buffer to convert this to an integer
These are all wrapped in the mbedtls_asn1_buf structure, which contains a tag (the type), a len (the length) and p (a pointer to the actual data). The cert issuer is a sequence of these values.
Hopefully that gives you enough to get started.
Many thanks, David Mbed TLS developer ________________________________ From: Danny Backx via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 19 June 2026 16:36 To: Francois Mace mace.francois@gmail.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Re: extract AKI info from cert via mbedtls ?
Hi François,
Thanks for responding. Apologies for not including context. I'm using esp-idf v6 which includes mbedtls 4.0. My "application" is a re-usable library that obtains certificates using ACME.
I saw the field in the class definition. I get from your reply it's ok for me to use it.
So let me ask a noob question. How do I use this to produce strings in C or C++ code ? The mbedtls_x509_authority structure consists of buffers in something other than such C/C++ string formats.
Danny
On 6/19/26 13:22, Francois Mace wrote: Hello Danny,
What is the version of mbed TLS you are using?
I think latest version expose AKI with
mbedtls_x509_authority authority_key_id;
as a member of the mbedtls_x509_crt class.
Best regards,
François
Le jeu. 18 juin 2026 à 18:05, Danny Backx via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> a écrit :
Hi,
How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ?
I could parse the certificate file itself, I guess, but isn't that what mbedtls does?
Thanks,
Danny
https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1
-- Danny Backx - dannybackx@telenet.bemailto:dannybackx@telenet.be -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.orgmailto:mbed-tls-leave@lists.trustedfirmware.org -- Danny Backx - dannybackx@telenet.bemailto:dannybackx@telenet.be
Thanks. After rephrasing my question and re-reading it, it seems clear to me.
Base type for strings in mbedtls is unterminated (as opposed to C standard).
I thought I was asking for access functions but those were really conversions away from mbedtls's base format.
So they're out of scope of the library.
I should access the fields directly and deal with such conversions in my own code, if I need to.
Danny
On 6/19/26 18:41, David Horstmann wrote:
Hi Danny,
The AKI extension contains 3 fields:
- keyIdentifier, which is a sequence of bytes. You can get the bytes from keyIdentifier.p with length keyIdentifier.len.
- authorityCertIssuer, which is a sequence of names (like in a Subject Alternative Name extension). You should be able to iterate through this sequence and call `mbedtls_x509_parse_subject_alt_name()` on each name to get the information out.
- authorityCertSerialNumber, which is an integer. You can call mbedtls_asn1_get_int() on the underlying buffer to convert this to an integer
These are all wrapped in the mbedtls_asn1_buf structure, which contains a tag (the type), a len (the length) and p (a pointer to the actual data). The cert issuer is a sequence of these values.
Hopefully that gives you enough to get started.
Many thanks, David Mbed TLS developer
*From:* Danny Backx via mbed-tls mbed-tls@lists.trustedfirmware.org *Sent:* 19 June 2026 16:36 *To:* Francois Mace mace.francois@gmail.com *Cc:* mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org *Subject:* [mbed-tls] Re: extract AKI info from cert via mbedtls ?
Hi François,
Thanks for responding. Apologies for not including context. I'm using esp-idf v6 which includes mbedtls 4.0. My "application" is a re-usable library that obtains certificates using ACME.
I saw the field in the class definition. I get from your reply it's ok for me to use it.
So let me ask a noob question. How do I use this to produce strings in C or C++ code ? The mbedtls_x509_authority structure consists of buffers in something other than such C/C++ string formats.
Danny
On 6/19/26 13:22, Francois Mace wrote:
Hello Danny,
What is the version of mbed TLS you are using?
I think latest version expose AKI with
mbedtls_x509_authorityauthority_key_id;
as a member of the |mbedtls_x509_crt| class.
Best regards,
François
Le jeu. 18 juin 2026 à 18:05, Danny Backx via mbed-tls <mbed-tls@lists.trustedfirmware.org mailto:mbed-tls@lists.trustedfirmware.org> a écrit :
Hi, How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ? I could parse the certificate file itself, I guess, but isn't that what mbedtls does? Thanks, Danny https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1 <https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1> -- Danny Backx - dannybackx@telenet.be <mailto:dannybackx@telenet.be> -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org <mailto:mbed-tls@lists.trustedfirmware.org> To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org <mailto:mbed-tls-leave@lists.trustedfirmware.org>-- Danny Backx - dannybackx@telenet.be mailto:dannybackx@telenet.be
mbed-tls@lists.trustedfirmware.org
-
Danny Backx -
David Horstmann -
Francois Mace