Ok, I will try to guess.
The AS certificate has a digital signature and a hash. The supplicant has the root CA with its public key. The supplicant calculates the hash of the AS digital signature and decrypts the hash in it with the public key from the root CA. It should match.