PKI Usage in Trusted Boot


I am trying to understand how PKI is used to boot an ARM board.

The following image relates to BL1:

enter image description here

The booting steps state:

enter image description here

Also from:

enter image description here

The certificate used in step 1 appears to be a content certificate. In the diagram it suggests in contains the public key used to sign a hash, and the signed hash for BL2. Referring to X-509 certificate:

enter image description here

My question is that from the description above, is ARM not using the subject public key information in X509, and is instead adding the public key used to verify the hash in the extension field, and the signed hash in the digital signature field ?

The diagram also indicates that the trusted key certificate contains 3 keys (ROTPK, TWpub, NWpub). Does that mean that put all 3 keys in extension field, then added the signed hash of perhaps TWpub + NWpub in the digital signature and again didn’t use the subject public key information field (with certificate later verified with the ROTPK in the extension field) ?