Re: unable to get local issuer certificate

Wed, 10 May 2000 05:11:06 -0700 

Arnaud De Timmerman wrote:
> 
> All,
> 
> Trying to verify a message I've just signed with openssl, I've got this message
> :
> ********************************
> Verification Failure
> 381:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smim
> e.c:205:Verify error:unable to get local issuer certificate
> ********************************
> In pk7_smime.c the code is
> 201:i = X509_verify_cert(&cert_ctx);
> 202:if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
> 203:X509_STORE_CTX_cleanup(&cert_ctx);
> 204:if (i <= 0) {
> 205: PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR);
> 206: ERR_add_error_data(2, "Verify error:",
> 207:      X509_verify_cert_error_string(j));
> 208: sk_X509_free(signers);
> 209: return 0;
> 210: }
> 
> Is something wrong in my command line which is "openssl smime -verify -in ficout
>  -certfile toto.cer" ?
> Is a file missing ?
> Can Netscape or IE preferences be involved in this message ?
> 
> Signing was correct in my opinion with :
> 
> ********************************
> openssl smime -sign -in ficin -out ficout -signer toto.cer -inkey toto.key -des3
> ********************************
> 
> Where could I find command line examples of the smime utility with openssl
> (others than in smime.pod) ?
> 

What it is saying is that it can't find the CA of the signer of the
message.

You probably haven't set up your certificate store correctly. You can
use the -CAfile and -CApath options (-CApath is tricky under Windows) to
supply a list of trusted CAs. You need to include the signer's CA in
this list.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to