In case of verifying a certificate with a CA or a chain of CAs, the system needs to identify the issuer CA of the certificate in question. The SR OS looks through all configured ca-profiles to find the issuer CA. The following is the method system used to find the issuer CA:
The issuer CA’s certificate subject must match the issuer field of the certificate in question.
If present, the authority key identifier of the certificate in question must match the subject key identifier of the issuer CA’s certificate.
If present, the key usage extension of the issuer CA’s certificate must permit certificate signing.