Ops.. The line was too long and I missed the last two certs. However, this changes nothing for me:
[EMAIL PROTECTED] openssl verify -CAfile c.pem b.pem b.pem: OK
[EMAIL PROTECTED] openssl verify -CAfile b.pem a.pem
a.pem: /C=US/O=MasterCard International Incorporated Test System Subordinate/OU=SecureCode Test System Subordinate CA Certificate/CN=MasterCard SecureCode Test Issuer and Directory Subordinate
error 2 at 1 depth lookup:unable to get issuer certificate
The only idea I have is that you have some cert installed in the default openssl path
that I don't have (for example, it might be original root cert used for other certs generation).
And xmlsec does not know about it either. The only suggestion I have is to run xmlsec or openssl
in the debugger. It should be somewhere in openssl/crypto/x509/x509.c or openssl/crypto/x509/x509vfy.c
To verify a you need to have b AND c loaded because it's an "certificate-hierarchy".
c -> b -> a
That's why I used the CAPath-feature from openssl because it is only possible to use cafile one time. put b and c in an directory, run "c_rehash ." to prepare it and then you can use that using openssl ... and then it should be possible to verify a.pem with that.
Does xmlsec uses all these certificates or only get the first one ?!
Yes, of course. It loads everything it can find.
hm ...
When I try to load the extracted b.pem and c.pem as trusted certificates into xmlsec I getHave you added magic "----BEGIN CERTIFICATE----" and "-----END CERTIFICATE-----" to the extracted
xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation failed : X509_LOOKUP_load_file(b.pem) - 0
Error: unable to load certificate file "b.pem".
What could be the reason for that error ?
certs? xmlsec utility expects certs in PEM files.
Yes I added that - openssl accepts it ...
Any other ideas?
Ingo F
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
