My understanding (which may be flawed!) is that the following output represents a single unique chain:<br><br>Certificate 1:<br>subject= /O=.ca.cinecert.com/OU=.ra-<a href="http://1a.s430-2.ca.cinecert.com/CN=SM.www.cinecert.com/dnQualifier=u87hIANjv9IBkbCXs7JwC6tbEdw=">1a.s430-2.ca.cinecert.com/CN=SM.www.cinecert.com/dnQualifier=u87hIANjv9IBkbCXs7JwC6tbEdw=</a><br>
issuer= /O=.ca.cinecert.com/OU=.ra-<a href="http://1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys=">1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys=</a><br><br>
Certificate 2:<br>subject= /O=.ca.cinecert.com/OU=.ra-<a href="http://1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys=">1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys=</a><br>
issuer= /O=.ca.cinecert.com/OU=.ra-<a href="http://1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE=">1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE=</a><br><br>Certificate 3:<br>
subject= /O=.ca.cinecert.com/OU=.ra-<a href="http://1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE=">1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE=</a><br>issuer= /O=.ca.cinecert.com/OU=.s430-<a href="http://2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ=">2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ=</a><br>
<br>Certificate 4:<br>subject= /O=.ca.cinecert.com/OU=.s430-<a href="http://2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ=">2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ=</a><br>
issuer= /O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU=<br><br>Certificate 5:<br>subject= /O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU=<br>
issuer= /O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU=<br><br>Thanks once again though!<br><br><br><div class="gmail_quote">On Thu, Feb 21, 2008 at 1:52 AM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Here is my new theory :) You've asked for it ;)<br>
<br>
1) The error appears during certificate chain verification<br>
and indicates that openssl can not find or verify certificate<br>
in the chain. There is no easy way to suppress this error<br>
because it might be a real problem (we don't know this at the<br>
moment this error is generated).<br>
<br>
2) For some reasons, the certificates you have in the signature<br>
allow one to construct more than one certificates chain. The first<br>
one can not be verified. But the second one can.<br>
<br>
3) The certificates chains are constructed using certificates<br>
issuers/subjects. If you have time and would like to nail it down,<br>
extract the issuers/subjects from all certificates in the<br>
signature and see if there is indeed two or more chains.<br>
<font color="#888888"><br>
Aleksey<br>
</font><div><div></div><div class="Wj3C7c"><br>
Paul Keeler wrote:<br>
> All your ideas are more than welcome! I tried your suggestion, but the<br>
> output is exactly the same. Not sure where that leaves us?<br>
><br>
> Thanks again.<br>
><br>
<br>
</div></div></blockquote></div><br>