I would be grateful if somone could help me with this problem. I have a signed document which reports that it verifies ok, but also gives an error message: "unable to get local issuer certificate". The same thing happens both running from my own application and calling xmlsec from the command line:
xmlsec1 --verify --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_first_node_name> --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem <my_trusted_root_pem> <my_signed_document> This is the result: func=xmlSecOpenSSLX509StoreVerify:file= x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificateverification failed:err=20;msg=unable to get local issuer certificate OK SignedInfo References (ok/all): 2/2 Manifests References (ok/all): 0/0 The verification seems to have been successful (indicated by "OK"), but clearly an error was also reported. The signed document contains my entire certificate chain: Signer -> Intermediate CA -> Root CA. The Root CA in the chain is the same as the trusted root pem I pass using the --trusted-pem option, so I would expect verification to succeed. Now, I can make the error message go away by extracting the Intermediate CA certificate from the signed document and passing it to XMLSEC using the --untrusted-pem option: xmlsec1 --verify --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_first_node_name> --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem> <my_signed_document> I did not expect that I would have to explicitly pass a certificate from the chain to xmlsec and flag it as being untrusted. Am I doing something wrong? Surely xmlsec should assume that all X509 certificates in a chain are untrusted by default? Have I missed the point somewhere? Many thanks in advance.
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
