[xmlsec] Re: [Bug 107003] Changed - xmlsec does not allow self-signed X509 certificates

Aleksey Sanin aleksey at aleksey.com
Wed Feb 26 07:53:18 PST 2003

>When I run the following on the attached files, I get the error below:
>xmlsec sign --privkey DumpedKey.pem,DumpedCert.pem --output x1-sig.xml
You have a minor problem in your templpate: you've had
empty <ds:X509Certificate/> element in <ds:X509Data/>
element and this caused Base64 error you've seen :)
Removing it solved all the problems and the command above
succeded (see attached file).

>So not knowing exactly what was wrong I stored the X500 cert in the template
>and ran the following:
>xmlsec sign --privkey DumpedKey.pem,DumpedCert.pem --output x1-sig.xml
xmlSecX509StoreVerify (..\src\x509.c:1090): error 41: cert verification
failed : error=18 (self signed certificate)
xmlSecX509DataNodeRead (..\src\keyinfo.c:1196): error 41: cert verification
failed :

You've stored certificate in the template and xmlsec decided
that it needs to read it. And the cert verification failed because
there were no "root" certificate.

I prefer to discuss xmlsec questions in the xmlsec mailing list
so this message is copied to the list.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: x1-sig-template.xml.gz
Type: application/x-gzip
Size: 338 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030226/a0618b7e/x1-sig-template.xml.bin

More information about the xmlsec mailing list