[xmlsec] PKCS12 certificate chains redux

Aleksey Sanin aleksey at aleksey.com
Fri Apr 11 10:56:29 PDT 2003

Sure :) When you are extracting a key from certificates there is one 
"special" certificate:
the one that actualy contains the key. In the xmlsec-openssl library, 
application may
access this certificate thru the following functions:
Since the certificate "duplicate" operation for OpenSSL is only ref 
count increment, I've
decided that it's more simple to have two "copies" of this special 
certificate: one in the
certificates chain and one in the special separate member of the 

Now if we go back to pkcs12 files, you'll see that we have exactly the 
same situation:
there is a special "key" certificate and all other chain certificates. 
 From an application
point of view, it makes perfect sense to also have access to this "key 
And I remember that this was actualy a "feature request" from someone a 
couple months ago :)

As I wrote, ceritficate duplicaton in openssl is cheap. It's possible 
that another xmlsec-crypto
library implementation will have only one copy of the certificate. As 
you can see from the function
names, this is crypto library specific code :)


Jesse Pelton wrote:

>In version 0.1.1, xmlSecOpenSSLAppPkcs12Load() makes two copies of the key
>certificate. One is adopted as a key certificate, the other is adopted in
>the certificate chain.  This is somewhat confusing and a bit inefficient,
>but I imagine there's a reason for the second copy.  Can you explain?
>xmlsec mailing list
>xmlsec at aleksey.com

More information about the xmlsec mailing list