Smime utility meets "unsupported certificate purpose" problem

Wed, 09 May 2012 20:27:04 -0700 

Hi,

 

I meet a "unsupported certificate purpose" when using smime utility,the
signed file is produced by iOS device, the cert is issued by

MS cert addon. 

My openssl version is “OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008”.

Blow is my trouble shooting detail, Please check and give some suggestions,
thanks a lot!

 

Signature verify failed, seems the cert chain verify is passed, the only
problem is the purpose problem.


# openssl smime -verify -inform DER -in second_profile_post.der

Verification failure

8480:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
error:pk7_smime.c:245:Verify error:unable to get local issuer certificate

 

# openssl smime -verify -inform DER -in second_profile_post.der -CAfile
good.pem

Verification failure

8479:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
error:pk7_smime.c:245:Verify error:unsupported certificate purpose

 

Get cert info using pkcs7 utility, please check the x509 v3 extensions


============================================== T

# openssl pkcs7 -inform DER -in second_profile_post.der -print_certs -text
-noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            1a:2e:11:7e:00:00:00:00:00:0f

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: DC=com, DC=goodtest, CN=iOSEnrollment

        Validity

            Not Before: May  8 08:36:01 2012 GMT

            Not After : May  8 08:36:01 2014 GMT

        Subject: O=Example, Inc., CN=User Device Cert

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                ......

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

            X509v3 Subject Key Identifier:

                C9:52:F5:71:BB:59:69:BE:E5:0A:64:1D:38:40:F0:C7:BF:FB:0E:42

            X509v3 Authority Key Identifier:

 
keyid:FE:F4:50:09:DD:C1:C6:DD:F3:55:5E:05:2A:90:01:B2:FA:38:1D:A3

 

            X509v3 CRL Distribution Points:

                                     ......

            Authority Information Access:

                                     ......

            1.3.6.1.4.1.311.20.2:

                .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e

            X509v3 Basic Constraints: critical

                CA:FALSE

            X509v3 Extended Key Usage:

                1.3.6.1.5.5.8.2.2

 

Detailed purpose info from X509 utility:


####################### Blow is the purpose info from the cert imported from
previous command

# openssl x509 -purpose -in goodcert.pem -noout

Certificate purposes:

SSL client : No

SSL client CA : No

SSL server : No

SSL server CA : No

Netscape SSL server : No

Netscape SSL server CA : No

S/MIME signing : No

S/MIME signing CA : No

S/MIME encryption : No

S/MIME encryption CA : No

CRL signing : No

CRL signing CA : No

Any Purpose : Yes

Any Purpose CA : Yes

OCSP helper : Yes

OCSP helper CA : No

Reply via email to