On Wed, May 17, 2006, camino (sent by Nabble.com) wrote: > > when i got a signed smime letter signed by PKCS7_sign > suppose the certificate chain is > myca -> mycertificate > so the PKCS7_verify is ok > > but if the certificate chain is > myca -> myissueca -> mycertificate > so the pkcs7_verify will fail > even i use > openssl smime -verify -certfile my.cer -CAfile myca.cer -in o.eml > it will fail too ,and the error messsage is > "unable to get local issuer certificate" > > but if the signed letter is signed by other application ,such as outlook > there is no problem > i wonder why > > any help would be great appreciate >
The signed email should include the intermediate CA (myissueca) in this case in the signed message. The -certfile option does this on the command line. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
