[xmlsec] Signature Verification Problem Using X509 Certificates

[Aleksey Sanin]

> My understanding (which may be flawed!) is that the following output 
> represents a single unique chain:

Yes, this is a single chain :) Next idea, could you try to remove
the self-signed (root) certificate from the signature and just
supply it as the parameter to xmlsec command line utility?
I can see how openssl can be confused if it this certificate in
two places.

Aleksey