diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
index 5fed3a9fd07a19..b0c8dfbb8c33fd 100644
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@@ -401,9 +401,22 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
         rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
         break;
     case NID_id_it_rootCaCert:
-        rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
-                                                ctx->newWithOld,
-                                                ctx->oldWithNew);
+        {
+            X509 *rootcacert = NULL;
+
+            if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
+                return NULL;
+
+            if (rootcacert != NULL
+                && X509_NAME_cmp(X509_get_subject_name(rootcacert),
+                                 X509_get_subject_name(ctx->newWithNew)) != 0)
+                /* The subjects do not match */
+                rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
+            else
+                rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
+                                                        ctx->newWithOld,
+                                                        ctx->oldWithNew);
+        }
         break;
     default:
         rsp = OSSL_CMP_ITAV_dup(req);
diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
index 3049d4f0800817..2c9dd6a5470841 100644
--- a/crypto/cmp/cmp_asn.c
+++ b/crypto/cmp/cmp_asn.c
@@ -287,23 +287,31 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
                                                  const X509 *oldWithNew)
 {
     OSSL_CMP_ITAV *itav;
-    OSSL_CMP_ROOTCAKEYUPDATE *upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
+    OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;
 
+    if (newWithNew == NULL)
+        goto null_value;
+
+    upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
     if (upd == NULL)
         return NULL;
-    if (newWithNew != NULL && (upd->newWithNew = X509_dup(newWithNew)) == NULL)
+
+    if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
         goto err;
     if (newWithOld != NULL && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
         goto err;
     if (oldWithNew != NULL && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
         goto err;
+
+ null_value:
     if ((itav = OSSL_CMP_ITAV_new()) == NULL)
         goto err;
+
     itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
     itav->infoValue.rootCaKeyUpdate = upd;
     return itav;
 
-    err:
+ err:
     OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
     return NULL;
 }
@@ -324,11 +332,11 @@ int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
         return 0;
     }
     upd = itav->infoValue.rootCaKeyUpdate;
-    *newWithNew = upd->newWithNew;
+    *newWithNew = upd != NULL ? upd->newWithNew : NULL;
     if (newWithOld != NULL)
-        *newWithOld = upd->newWithOld;
+        *newWithOld = upd != NULL ? upd->newWithOld : NULL;
     if (oldWithNew != NULL)
-        *oldWithNew = upd->oldWithNew;
+        *oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
     return 1;
 }
 
diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index dad6ef1189713e..7c38d3367c5a73 100644
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -307,9 +307,11 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
     if (!OSSL_CMP_ITAV_get0_rootCaKeyUpdate(itav, newWithNew,
                                             &my_newWithOld, &my_oldWithNew))
         goto end;
-
-    if (*newWithNew == NULL) /* no root CA cert update available */
+    /* no root CA cert update available */
+    if (*newWithNew == NULL) {
+        res = 1;
         goto end;
+    }
     if ((oldWithOld_copy = X509_dup(oldWithOld)) == NULL && oldWithOld != NULL)
         goto end;
     if (!verify_ss_cert_trans(ctx, oldWithOld_copy, my_newWithOld,
diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
index 6aa18599b18701..9162c329f14acf 100644
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -77,7 +77,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 0,genm rootCaCert oldwithold empty file  , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, empty.txt     , -newwithnew, _RESULT_DIR/test.newwithnew.pem
 0,genm rootCaCert oldwithold random file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, random.bin    , -newwithnew, _RESULT_DIR/test.newwithnew.pem
 0,genm rootCaCert oldwithold nonexistent , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, idontexist    , -newwithnew, _RESULT_DIR/test.newwithnew.pem
-0,genm rootCaCert oldwithold wrong       , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt    , -newwithnew, _RESULT_DIR/test.newwithnew.pem
+1,genm rootCaCert oldwithold wrong       , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt    , -newwithnew, _RESULT_DIR/test.newwithnew.pem
 0,genm rootCaCert missing newwithnew     , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, BLANK      ,,
 0,genm rootCaCert newwithnew missing arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew,,
 1,genm rootCaCert with oldwithnew        , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew, _RESULT_DIR/test.newwithnew1.pem, -oldwithnew, _RESULT_DIR/test.oldwithnew1.pem