diff --git a/scripts/policy/protocols/ssl/certificate-request-info.zeek b/scripts/policy/protocols/ssl/certificate-request-info.zeek
index 6eaa664077..0b22e48563 100644
--- a/scripts/policy/protocols/ssl/certificate-request-info.zeek
+++ b/scripts/policy/protocols/ssl/certificate-request-info.zeek
@@ -16,8 +16,8 @@ event ssl_certificate_request(c: connection, is_client: bool, certificate_types:
 		return;
 
 	local out: vector of string = vector();
-	for ( i in certificate_authorities )
-		out[i] = parse_distinguished_name(certificate_authorities[i]);
+	for ( _, ca in certificate_authorities )
+		out += parse_distinguished_name(ca);
 
 	c$ssl$requested_client_certificate_authorities = out;
 	}
diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
index 44d70edf8c..2e91190b73 100644
--- a/src/analyzer/protocol/ssl/functions.bif
+++ b/src/analyzer/protocol/ssl/functions.bif
@@ -76,7 +76,6 @@ function set_keys%(c: connection, keys: string%): bool
 ## .. zeek:see:: ssl_certificate_request
 function parse_distinguished_name%(dn: string%): string
 	%{
-	std::string out = "";
 	const unsigned char* in = dn->Bytes();
 
 	X509_NAME* dn_x509 = d2i_X509_NAME(nullptr, &in, dn->Len());
@@ -92,8 +91,8 @@ function parse_distinguished_name%(dn: string%): string
 
 	X509_NAME_print_ex(bio, dn_x509, 0, XN_FLAG_RFC2253);
 	int len = BIO_gets(bio, buf, sizeof(buf));
-	out.assign(buf, len);
+	auto out = zeek::make_intrusive<zeek::StringVal>(len, buf);
 	BIO_free(bio);
 	X509_NAME_free(dn_x509);
-	return zeek::make_intrusive<zeek::StringVal>(out);
+	return out;
 	%}
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index aa642e18f7..ce19a4b2a9 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -631,7 +631,7 @@ refine connection Handshake_Conn += {
 		if ( ! ssl_certificate_request )
 			return true;
 
-		auto ctlist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("index_vec"));
+		auto ctlist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
 		auto ctypes = ${req.certificate_types};
 
 		if ( ctypes )
@@ -656,11 +656,14 @@ refine connection Handshake_Conn += {
 			}
 
 
-		auto calist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("string_vec"));
+		auto calist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
 		auto certificate_authorities = ${req.certificate_authorities.certificate_authorities};
 		if ( certificate_authorities )
 			for ( unsigned int i = 0; i < certificate_authorities->size(); ++i )
-				calist->Assign(i, zeek::make_intrusive<zeek::StringVal>((*certificate_authorities)[i]->certificate_authority().length(), (const char*) (*certificate_authorities)[i]->certificate_authority().data()));
+				{
+				auto ca = (*certificate_authorities)[i]->certificate_authority();
+				calist->Assign(i, zeek::make_intrusive<zeek::StringVal>(ca.length(), (const char*) ca.data()));
+				}
 
 		zeek::BifEvent::enqueue_ssl_certificate_request(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, ctlist, slist, calist);
 
diff --git a/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek b/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
index c6e80fb518..259eca3ed8 100644
--- a/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
+++ b/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
@@ -13,10 +13,10 @@ event ssl_certificate_request(c: connection, is_client: bool, certificate_types:
 	{
 	print certificate_types;
 	print supported_signature_algorithms;
-	for ( i in certificate_authorities )
+	for ( _, ca in certificate_authorities )
 		{
-		print certificate_authorities[i];
-		print parse_distinguished_name(certificate_authorities[i]);
+		print ca;
+		print parse_distinguished_name(ca);
 		}
 	print "========";
 	}