My understanding (which may be flawed!) is that the following output represents a single unique chain:
Certificate 1: subject= /O=.ca.cinecert.com/OU=.ra- 1a.s430-2.ca.cinecert.com/CN=SM.www.cinecert.com/dnQualifier=u87hIANjv9IBkbCXs7JwC6tbEdw= issuer= /O=.ca.cinecert.com/OU=.ra- 1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys= Certificate 2: subject= /O=.ca.cinecert.com/OU=.ra- 1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys= issuer= /O=.ca.cinecert.com/OU=.ra- 1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE= Certificate 3: subject= /O=.ca.cinecert.com/OU=.ra- 1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE= issuer= /O=.ca.cinecert.com/OU=.s430- 2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ= Certificate 4: subject= /O=.ca.cinecert.com/OU=.s430- 2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ= issuer= /O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU= Certificate 5: subject= /O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU= issuer= /O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU= Thanks once again though! On Thu, Feb 21, 2008 at 1:52 AM, Aleksey Sanin <[EMAIL PROTECTED]> wrote: > Here is my new theory :) You've asked for it ;) > > 1) The error appears during certificate chain verification > and indicates that openssl can not find or verify certificate > in the chain. There is no easy way to suppress this error > because it might be a real problem (we don't know this at the > moment this error is generated). > > 2) For some reasons, the certificates you have in the signature > allow one to construct more than one certificates chain. The first > one can not be verified. But the second one can. > > 3) The certificates chains are constructed using certificates > issuers/subjects. If you have time and would like to nail it down, > extract the issuers/subjects from all certificates in the > signature and see if there is indeed two or more chains. > > Aleksey > > Paul Keeler wrote: > > All your ideas are more than welcome! I tried your suggestion, but the > > output is exactly the same. Not sure where that leaves us? > > > > Thanks again. > > > >
_______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec