Duplicated X509Certificate

Question

I am trying to sign an XML file and for some reason its adding two <X509Certificate> tags under <X509Data> tag. Values in tags are not identical. (see example below)

<KeyInfo>
  <X509Data>
    <X509Certificate>KJASHDJASHAHDJA</X509Certificate>
    <X509Certificate>ASJKLDJASDJASDJKLASJDASJKDASA</X509Certificate>
  </X509Data>
</KeyInfo>

This is happening after i had to change old certificate after it expired (code was working fine before).

Code i use to get key-info node:

private KeyInfo getKeyInfo()
{
  KeyInfo keyInfo = new KeyInfo();
  KeyInfoX509Data keyInfoX509Data = new KeyInfoX509Data(this.certificate, X509IncludeOption.ExcludeRoot);
  keyInfo.AddClause(keyInfoX509Data);
  return keyInfo;
}

If you need me to post more information please let me know.

Answer 1

In a XML signature it is expected that includes the signing certificate and the certification chain in order the recipient could verify trust until the root CA certificate

See XMLDsig standard

4.4.4 The X509Data Element

All certificates appearing in an X509Data element MUST relate to the validation key by either containing it or being part of a certification chain that terminates in a certificate containing the validation key.

If the certification chain of your new certificate contains one intermediate certificate until root, it is normal that you see two certificates in X509Data

 root
   --intermediate1
       --leaf 

You can check it opening the certificate with an editor (double click in windows)

Answer 2

If you want to eliminate the intermediate certificate in your output, change

new KeyInfoX509Data(this.certificate, X509IncludeOption.ExcludeRoot);

to

new KeyInfoX509Data(this.certificate, X509IncludeOption.EndCertOnly);

Then it will write just the signing cert, instead of the chain (except for the root).