One of the following two child elements may be configured. Their use conflicts with the
trustEngineRef XML attributes.
A PEM-format public key.
You can obtain a public key from a certificate using a command such as:
$ openssl x509 -pubkey -in cert.pem -noout
A trust engine plugin that defines how the signature is to be checked