The X.509 spec makes frequent statements like this:
(b) If certificate i is self-issued and it is not the final
certificate in the path, skip this step for certificate i.
How can you have a cert that is self-issued and not be the final cert in the path? Is the issuer and the subject are the same how are you supposed to find parent cert?
Self-signed and self-issued are two different things. Thus, the self-issued certificate has the same subject as issuer, but is not signed by the same key. This means there is another certificate which binds the public key used to signed the self-issued certificate.
This can be used for key rollover, e.g. an organization starts using a new key, creates a new self-signed certificate and creates a self-issued certificate for the old key.
Self-issued means that the entity who issued (signed) the certificate is the same as the entity who received the certificate, and owns the public key contained therein. In the context of RFC 5280, a self-issued certificate is defined as:
A certificate is self-issued if the same DN appears in the subject
and issuer fields (the two DNs are the same if they match according
to the rules specified in Section 7.1)
Note that the name matching rules call for a rather complex normalization of whitespace and case.
Self-signed means that a certificate has been signed by the private key which corresponds to the public key in the certificate.
Self-issued certificates may be self-signed. Or not. It makes sense to have a certificate which is both self-issued and self-signed in case the self-issuance was meant to change other characteristics of the certificate, such as the extensions, validity dates, or even name encoding details.
In any case, you do not find parent certificates based on key alone; certificate path building tends to use the names and the "key identifiers" (Authority Key Identifier, Subject Key Identifier), and the download URL for the issuing CA in the Authority Information Access extension. There are many more ways than that; see RFC 4158 for a more thorough discussion. Bottom-line is that self-issued certificates, be they self-signed or not, may occur in the middle of certificate chains.
