I ran into a small snag using OpenSSL for email encrypting, whether I use it from inside mutt or standalone.
I received a signed email from my test account (using a free thawte email cert). I saved the corresponding cert in the place necessary for mutt to use it for encryption. Mutt simply throws the signature through "openssl pkcs7 -print_certs" and throws the resulting certificate chain into `openssl x509 -hash -noout`.0 . I am able to use this cert without any problems to encrypt back to the sender, and can decrypt it there. Looking at the resulting certificate, the order in the file is as follows: (1) The signer cert (Signed by (3) ) (2) The CA root cert (Self-signed) (3) An intermediate cert (Signed by (2) ) I received email from someone else, signed using a digsigtrust.org certificate. I added it in the same way, but the recipient is not able to decrypt email from me encrypted with this certificate. I looked at the actual cert file, and this is how it is arranged: (1) An intermediate cert (Signed by (2) ) (2) The CA root cert (Self-signed) (3) An intermediate cert (Signed by (1) ) (4) The signer cert (Signed by (3) ) So it turns out email I thought I was encrypting with (4) was actually being encrypted with (1). Of course the recipient could not decrypt. Is there an easy way, besides editing the certs by hand, to separate out: a - the signer's cert alone (depth 0 in the chain) b - the root ca cert c - All other intermediate certs Also, is this a borked setup on the other person's machine that their certificate comes out upside-down like that? I have tested with (ugh) Outlook Express also, and this upside-down certificate is properly used (Outlook separates out the a, b, and c parts properly). -- Jim Ramsay [EMAIL PROTECTED] PGP Key ID: 0xBE28F488 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
