diff --git a/src/share/classes/sun/security/provider/certpath/CertId.java b/src/share/classes/sun/security/provider/certpath/CertId.java
index 731111e14b8fd3fb21c1f570de0d89c755a1f7e5..ff7be695d5b2b28bf495ec6a19288e2ca455aca4 100644
--- a/src/share/classes/sun/security/provider/certpath/CertId.java
+++ b/src/share/classes/sun/security/provider/certpath/CertId.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,8 +29,10 @@ import java.io.IOException;
 import java.math.BigInteger;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import javax.security.auth.x500.X500Principal;
 import sun.misc.HexDumpEncoder;
 import sun.security.x509.*;
 import sun.security.util.*;
@@ -70,6 +72,13 @@ public class CertId {
     public CertId(X509Certificate issuerCert, SerialNumber serialNumber)
         throws IOException {
 
+        this(issuerCert.getSubjectX500Principal(),
+             issuerCert.getPublicKey(), serialNumber);
+    }
+
+    public CertId(X500Principal issuerName, PublicKey issuerKey,
+                  SerialNumber serialNumber) throws IOException {
+
         // compute issuerNameHash
         MessageDigest md = null;
         try {
@@ -78,11 +87,11 @@ public class CertId {
             throw new IOException("Unable to create CertId", nsae);
         }
         hashAlgId = SHA1_ALGID;
-        md.update(issuerCert.getSubjectX500Principal().getEncoded());
+        md.update(issuerName.getEncoded());
         issuerNameHash = md.digest();
 
         // compute issuerKeyHash (remove the tag and length)
-        byte[] pubKey = issuerCert.getPublicKey().getEncoded();
+        byte[] pubKey = issuerKey.getEncoded();
         DerValue val = new DerValue(pubKey);
         DerValue[] seq = new DerValue[2];
         seq[0] = val.data.getDerValue(); // AlgorithmID
@@ -94,7 +103,7 @@ public class CertId {
 
         if (debug) {
             HexDumpEncoder encoder = new HexDumpEncoder();
-            System.out.println("Issuer Certificate is " + issuerCert);
+            System.out.println("Issuer Name is " + issuerName);
             System.out.println("issuerNameHash is " +
                 encoder.encodeBuffer(issuerNameHash));
             System.out.println("issuerKeyHash is " +
diff --git a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
index 136aacdfee2da9e65f23244bfc7f7bdd790adfad..ab784524546df25821c4d95e8e31cabfb0635d94 100644
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
+++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -345,10 +345,8 @@ class DistributionPointFetcher {
             return false;
         } else {
             // in case of self-issued indirect CRL issuer.
-            byte[] certAKID = certImpl.getExtensionValue(
-                                AuthorityKey_Id.toString());
-            byte[] crlAKID = crlImpl.getExtensionValue(
-                                AuthorityKey_Id.toString());
+            KeyIdentifier certAKID = certImpl.getAuthKeyId();
+            KeyIdentifier crlAKID = crlImpl.getAuthKeyId();
 
             if (certAKID == null || crlAKID == null) {
                 // cannot recognize indirect CRL without AKID
@@ -359,7 +357,7 @@ class DistributionPointFetcher {
                     // reset the public key used to verify the CRL's signature
                     prevKey = certImpl.getPublicKey();
                 }
-            } else if (!Arrays.equals(certAKID, crlAKID)) {
+            } else if (!certAKID.equals(crlAKID)) {
                 // we accept the case that a CRL issuer provide status
                 // information for itself.
                 if (issues(certImpl, crlImpl, provider)) {
diff --git a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
index b65b6df1eb4337a2a99aa25a84e569bdd38ea1e9..98d8a9d227237650e8fdcdeb7e454d502373c76d 100644
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -643,7 +643,14 @@ class RevocationChecker extends PKIXRevocationChecker {
         OCSPResponse response = null;
         CertId certId = null;
         try {
-            certId = new CertId(issuerCert, currCert.getSerialNumberObject());
+            if (issuerCert != null) {
+                certId = new CertId(issuerCert,
+                                    currCert.getSerialNumberObject());
+            } else {
+                // must be an anchor name and key
+                certId = new CertId(anchor.getCA(), anchor.getCAPublicKey(),
+                                    currCert.getSerialNumberObject());
+            }
 
             // check if there is a cached OCSP response available
             byte[] responseBytes = ocspResponses.get(cert);
diff --git a/src/share/classes/sun/security/x509/X509CertImpl.java b/src/share/classes/sun/security/x509/X509CertImpl.java
index 1593e5ed4ab818a519395f8868348aacb909574f..bd59b62811abeaa67c3a8f22990e30ea6d2f71f6 100644
--- a/src/share/classes/sun/security/x509/X509CertImpl.java
+++ b/src/share/classes/sun/security/x509/X509CertImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1095,6 +1095,18 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
         }
     }
 
+    public KeyIdentifier getAuthKeyId() {
+        AuthorityKeyIdentifierExtension aki
+            = getAuthorityKeyIdentifierExtension();
+        if (aki != null) {
+            try {
+                return (KeyIdentifier)aki.get(
+                    AuthorityKeyIdentifierExtension.KEY_ID);
+            } catch (IOException ioe) {} // not possible
+        }
+        return null;
+    }
+
     /**
      * Get AuthorityKeyIdentifier extension
      * @return AuthorityKeyIdentifier object or null (if no such object