Thanks. After rephrasing my question and re-reading it, it seems clear to me.

Base type for strings in mbedtls is unterminated (as opposed to C standard).

I thought I was asking for access functions but those were really conversions away from mbedtls's base format.

So they're out of scope of the library.

I should access the fields directly and deal with such conversions in my own code, if I need to.

    Danny

Hi Danny,

The AKI extension contains 3 fields:

• keyIdentifier, which is a sequence of bytes. You can get the bytes from keyIdentifier.p with length keyIdentifier.len.
• authorityCertIssuer, which is a sequence of names (like in a Subject Alternative Name extension). You should be able to iterate through this sequence and call `mbedtls_x509_parse_subject_alt_name()` on each name to get the information out.
• authorityCertSerialNumber, which is an integer. You can call mbedtls_asn1_get_int() on the underlying buffer to convert this to an integer
  
  

These are all wrapped in the mbedtls_asn1_buf structure, which contains a tag (the type), a len (the length) and p (a pointer to the actual data). The cert issuer is a sequence of these values.

Hopefully that gives you enough to get started.

Many thanks,

David

Mbed TLS developer

---

From: Danny Backx via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: 19 June 2026 16:36
To: Francois Mace <mace.francois@gmail.com>
Cc: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Re: extract AKI info from cert via mbedtls ?

 

Hi François,

Thanks for responding. Apologies for not including context. I'm using esp-idf v6 which includes mbedtls 4.0. My "application" is a re-usable library that obtains certificates using ACME.

I saw the field in the class definition. I get from your reply it's ok for me to use it.

So let me ask a noob question. How do I use this to produce strings in C or C++ code ? The mbedtls_x509_authority structure consists of buffers in something other than such C/C++ string formats.

    Danny

On 6/19/26 13:22, Francois Mace wrote:

Hello Danny,

What is the version of mbed TLS you are using?

I think latest version expose AKI with

mbedtls_x509_authority authority_key_id;

as a member of the  mbedtls_x509_crt class.

Best regards,

François

Le jeu. 18 juin 2026 à 18:05, Danny Backx via mbed-tls <mbed-tls@lists.trustedfirmware.org> a écrit :

Hi,

How can I extract the AKI (Authority Key Identifier) from a certificate using mbedtls ?

I could parse the certificate file itself, I guess, but isn't that what mbedtls does?

Thanks,

    Danny

https://www.rfc-editor.org/info/rfc5280#section-4.2.1.1

--
Danny Backx - dannybackx@telenet.be

--
mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org

--
Danny Backx - dannybackx@telenet.be