diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h
index f649eefef..72710b8a4 100644
--- a/linuxkm/linuxkm_wc_port.h
+++ b/linuxkm/linuxkm_wc_port.h
@@ -743,6 +743,9 @@
                 struct Signer* GetCAByKeyHash(void* vp, const unsigned char* keyHash);
             #endif /* HAVE_OCSP */
             #ifdef WOLFSSL_AKID_NAME
+                #ifdef WOLFSSL_API_PREFIX_MAP
+                    #define GetCAByAKID wolfSSL_GetCAByAKID
+                #endif
                 struct Signer* GetCAByAKID(void* vp, const unsigned char* issuer,
                                            unsigned int issuerSz,
                                            const unsigned char* serial,
@@ -1286,7 +1289,11 @@
             #endif /* HAVE_OCSP */
         #endif /* NO_SKID */
         #ifdef WOLFSSL_AKID_NAME
-            #define GetCAByAKID WC_PIE_INDIRECT_SYM(GetCAByAKID)
+            #ifdef WOLFSSL_API_PREFIX_MAP
+                #define wolfSSL_GetCAByAKID WC_PIE_INDIRECT_SYM(wolfSSL_GetCAByAKID)
+            #else
+                #define GetCAByAKID WC_PIE_INDIRECT_SYM(GetCAByAKID)
+            #endif
         #endif
 
         #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index ed3d6be98..79182b9ea 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -6698,10 +6698,11 @@ WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG,
     #ifndef GetCA
         WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash);
     #endif
-    #if defined(WOLFSSL_AKID_NAME) && !defined(GetCAByAKID)
-        #ifdef WOLFSSL_API_PREFIX_MAP
-            #define GetCAByAKID wolfSSL_GetCAByAKID
-        #endif
+    #if defined(WOLFSSL_AKID_NAME) && !defined(WC_SYM_RELOC_TABLES)
+        /* note WOLFSSL_API_PREFIX_MAPping is in asn.h, and if
+         * WC_SYM_RELOC_TABLES, the prototype is in the port layer
+         * (e.g. linuxkm_wc_port.h), to allow shimming.
+         */
         WOLFSSL_TEST_VIS Signer* GetCAByAKID(void* vp, const byte* issuer,
                 word32 issuerSz, const byte* serial, word32 serialSz);
     #endif
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index dd5263191..0d6ef5b06 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -2084,6 +2084,13 @@ typedef enum MimeStatus
     #define SetAlgoID wc_SetAlgoID
     #define SetAsymKeyDer wc_SetAsymKeyDer
     #define CalcHashId wc_CalcHashId
+    #if defined(WOLFSSL_AKID_NAME) && !defined(GetCAByAKID)
+        /* GetCAByAKID() has two implementations, a full implementation in
+         * src/ssl.c, and a dummy implementation in wolfcrypt/src/asn.c for
+         * WOLFCRYPT_ONLY builds.
+         */
+        #define GetCAByAKID wolfSSL_GetCAByAKID
+    #endif
 #endif /* WOLFSSL_API_PREFIX_MAP */
 
 WOLFSSL_LOCAL int HashIdAlg(word32 oidSum);