Stephen, Thank you for a reply.
> openssl verify -CAfile rootca.pem -untrusted othercas.pem signer.pem This is what I did: $ openssl verify -CAfile root_ca.cert -untrusted ca.cert sign.cert sign.cert: OK As you see, signer certificate is OK, however, ca.cert is not being verified at all. Also, I look into the details of the certificates, and, to much of my surprise, realised that the ca.cert doesn't have extensions that root_ca have: the CA:true is missing from extensions, and the keyIdentifier is not present. I wonder if the certificate ceration process went wrong... This is what I did: - created a root_ca.cert using openssl req -new -x509 (this creates self-signed CA certificate) - created a ca.cert request using openssl req -new -extensions v3_ca - signed on it with my root_ca.cert - created a signer certificate request using openssl req -new - signed on it with a ca.cert Is this a correct procedure for a chain creation? Did I miss something? How come v3_ca section doesn't add CA's extensions? Dr. Stephen Henson wrote: > On Mon, Aug 26, 2002, Michael Shmulevich wrote: > > >>Hello, >> >>I am sorry for troubling you with a (quite standard) question, but I cannot >>figure out my problem alone, and man page doesn't relly help me to solve a >>problem. >> >>I try to transfer an application in a secure way with PKCS#7 attachment. >>I took the 'openssl smime' as a utility since it looks like suits my needs. >> >>I have a chain of certificates with the following structure: >> >>Root CA --> CA --> Signer Certificate >> >>let's say I transfer a /bin/ls to someone. This is a command I used to create >>a PKCS#7 structure: >> >>$ openssl smime -sign -in /bin/ls -out ls.pkcs7.pem -outform PEM -binary >>-certfile root_ca.cert -certfile ca.cert -inkey sign.key -signer sign.cert >> >>The resulting PKCS#7 exibits all the required (three of them, including the >>signer certificate, CA and Root CA) certificates, when I try to run >>$ openssl pkcs7 -noout -text -print_certs -in ls.pkcs7.pem >> >>However, I cannot make it to verify the PKCS7, with no meaningful combination. >>These are two most successful tries: >> >>$ openssl smime -verify -in ls.pkcs7.pem -content /bin/ls -signer sign.cert >>-certfile ca.cert -CAfile root_ca.cert >> >>Verification Failure >>9887:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify >>error:pk7_smime.c:213:Verify error:unable to get local issuer certificate >> >>And: >>$ openssl smime -verify -in ls.pkcs7.pem -content /bin/ls -CAfile root_ca.cert >>-signer mfg_cvc.cert -certfile cl_cvc_ca.cert >> >>Verification Failure >>9888:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify >>error:pk7_smime.c:213:Verify error:invalid CA certificate >> >> >>Can someone enlighten me what I am doing wrong? I am intentionally not using >>the standard CA directory, since these certificates are hand-made for testing >>purposes. >> > > > These commands suggest something is wrong with the certificate chain. Try > using the verify command: > > openssl verify -CAfile rootca.pem -untrusted othercas.pem signer.pem > > where 'rootca.pem' contains the root CA and othercas.pem contains the > intermediate CA. > > Steve. > -- > Dr. Stephen Henson [EMAIL PROTECTED] > OpenSSL Project http://www.openssl.org/~steve/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
