[DCP-o-matic] certificates

Still trying to get a grip on our Barco certificate issue. What I don't understand is - there seem to be certificate/pem files with one, or multiple certificate blocks in them (multiple '-----BEGIN CERTIFICATE-----' '-----END CERTIFICATE-----' blocks). Sometimes when I request a certificate, I get a single .pem file, sometimes I get multiple files. I understand there are separate certificates for J2K and MPEG-2, and also certificates that include the root chain or not. E.g. when I download my ICMP certificate from the ICMP itself, I get an 8KB BARCO-ICMP-9730000916.pem. When I request it from Barco, I get a ZIP file with two files: Barco-ICMP.9730000916_cert.pem 4kB Barco-ICMP.9730000916_chain.pem 8kB Which of the two are actually needed for KDM creation? DOM seems to accept both - but when I create encrypted DCPs, neither works. The two 8kB files are bit-identical. I received a Doremi certificate file that I used sucessfully with DOM to create and play an encrypted DCP - but that file only contained a single certificate block. How can it be those certificate files are so different? For this Doremi server, the Doremi FTP site delivers a ZIP with SIX certificate files: dcp2000-254124.cert.mpeg.pem - 4kB dcp2000-254124.cert.sha256.pem - 4kB dcp2000-254124.cert.sms.pem - 4kB dcp2000-254124.chain.mpeg.pem - 12kB dcp2000-254124.chain.sha256.pem - 12kB dcp2000-254124.chain.sms.pem - 12kB I would think that the mpeg.pem is for MPEG2-Interop KDMs, sha256.pem is for J2C-SMPTE-KDMs, and that sms.pem is for verifying signed log files from the server? I understand that chains will not only contain the device certificate itself, but also it's parent-certificate, in the case of the Barco ICMP e.g. leading the device cetificate back to Barco. As such, I would assume that for KDM creation, a software would be able to work with both types of files? How will a software know which is which, when the number of certificate blocks differ between devices? - Carsten