On Mon, Aug 26, 2002, Michael Shmulevich wrote: > Hello, > > I am sorry for troubling you with a (quite standard) question, but I cannot > figure out my problem alone, and man page doesn't relly help me to solve a > problem. > > I try to transfer an application in a secure way with PKCS#7 attachment. > I took the 'openssl smime' as a utility since it looks like suits my needs. > > I have a chain of certificates with the following structure: > > Root CA --> CA --> Signer Certificate > > let's say I transfer a /bin/ls to someone. This is a command I used to create > a PKCS#7 structure: > > $ openssl smime -sign -in /bin/ls -out ls.pkcs7.pem -outform PEM -binary > -certfile root_ca.cert -certfile ca.cert -inkey sign.key -signer sign.cert > > The resulting PKCS#7 exibits all the required (three of them, including the > signer certificate, CA and Root CA) certificates, when I try to run > $ openssl pkcs7 -noout -text -print_certs -in ls.pkcs7.pem > > However, I cannot make it to verify the PKCS7, with no meaningful combination. > These are two most successful tries: > > $ openssl smime -verify -in ls.pkcs7.pem -content /bin/ls -signer sign.cert > -certfile ca.cert -CAfile root_ca.cert > > Verification Failure > 9887:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smime.c:213:Verify error:unable to get local issuer certificate > > And: > $ openssl smime -verify -in ls.pkcs7.pem -content /bin/ls -CAfile root_ca.cert > -signer mfg_cvc.cert -certfile cl_cvc_ca.cert > > Verification Failure > 9888:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smime.c:213:Verify error:invalid CA certificate > > > Can someone enlighten me what I am doing wrong? I am intentionally not using > the standard CA directory, since these certificates are hand-made for testing > purposes. >
These commands suggest something is wrong with the certificate chain. Try using the verify command: openssl verify -CAfile rootca.pem -untrusted othercas.pem signer.pem where 'rootca.pem' contains the root CA and othercas.pem contains the intermediate CA. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
