diff --git a/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt b/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt
index bdba1f4..e749e2b 100644
--- a/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt
+++ b/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt
@@ -92,7 +92,7 @@ class KeyAttestationCertPathValidator : CertPathValidatorSpi() {
     sigProvider: String?,
   ): CertPathValidatorResult {
     val certList = certPath.toCertList()
-    val selector = X509CertSelector().apply { issuer = certList.first().issuerX500Principal }
+    val selector = X509CertSelector().apply { subject = certList.first().issuerX500Principal }
 
     var lastException: CertPathValidatorException? = null
     for (anchor in trustAnchors) {
diff --git a/src/main/kotlin/testing/Certs.kt b/src/main/kotlin/testing/Certs.kt
index daa066e..bef942c 100644
--- a/src/main/kotlin/testing/Certs.kt
+++ b/src/main/kotlin/testing/Certs.kt
@@ -54,6 +54,16 @@ object Certs {
   val factoryIntermediate = certFactory.factoryIntermediate
   val remoteIntermediate = certFactory.remoteIntermediate
   val factoryAttestation = certFactory.factoryAttestation
+  val notSelfIssuedAnchor =
+    TrustAnchor(
+      certFactory.generateIntermediateCertificate(
+        publicKey = certFactory.rootKey.public,
+        signingKey = certFactory.rootKey.private,
+        subject = certFactory.root.subject,
+        issuer = certFactory.factoryIntermediate.subject,
+      ),
+      null,
+    )
 }
 
 /**
diff --git a/src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt b/src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt
index f683a68..7b8bdba 100644
--- a/src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt
+++ b/src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt
@@ -18,6 +18,7 @@ package com.android.keyattestation.verifier.provider
 
 import com.android.keyattestation.verifier.KeyAttestationReason
 import com.android.keyattestation.verifier.testing.CertLists
+import com.android.keyattestation.verifier.testing.Certs.notSelfIssuedAnchor
 import com.android.keyattestation.verifier.testing.Certs.rootAnchor as testAnchor
 import com.android.keyattestation.verifier.testing.Chains
 import com.android.keyattestation.verifier.testing.FakeCalendar
@@ -167,6 +168,19 @@ class KeyAttestationCertPathValidatorTest {
     assertThat(exception.reason).isEqualTo(PKIXReason.NO_TRUST_ANCHOR)
   }
 
+  @Test
+  fun notSelfIssuedTrustAnchor_succeeds() {
+    val params =
+      PKIXParameters(setOf(notSelfIssuedAnchor)).apply { date = FakeCalendar.DEFAULT.today() }
+    val result =
+      certPathValidator.validate(Chains.validFactoryProvisioned, params)
+        as PKIXCertPathValidatorResult
+    assertThat(result.trustAnchor).isEqualTo(notSelfIssuedAnchor)
+    assertThat(result.policyTree).isNull()
+    assertThat(result.publicKey)
+      .isEqualTo(Chains.validFactoryProvisioned.certificates.first().publicKey)
+  }
+
   @Test
   fun wrongIssuer_throwsCertPathValidatorException() {
     val certPath = Chains.wrongIssuer