We have some old certificates that have missing Authority Key Identifier and Subject Key Identifier fields. OpenSSL version 1.1.1 did not check these fields, even with -x509_strict, but since 3.0.0...