Why does CertGetCertificateChain have a facility to return more than one"simple chain"? What are simple chains and what other type of chains should I expect?
On a test run passing a certificate such as the following...
root
|- parent
|- my certificate
...the result was one simple chain:
0. my certificate
1. parent
2. root
In what case will we see more than one simple chain returned?
Multiple chains may appear whan there are multiple paths from single leaf certificate through multiple CA certificates.
This occurs in two (major) cases:
two or more CA certificates share the same Subject and public key. This happens when CA certificate is renewed with the same key pair. This will result in two very similar certificates which can be used as a node in the certification path building. They are different, but they both (since Subject and public key are shared) can be used to validate the signature of the issued certificate.
when cross-certification is used to provide additional paths to (possibly) a different root certificate. Litreally the same as above, with the exception that this option is used to provide routes to different CA roots.
Single certificate chain is just single path from a collection of all possible paths.
