>From: [email protected] On Behalf Of Massimiliano Masi >Sent: Monday, 07 January, 2013 10:18
>On Mon, Jan 7, 2013 at 3:11 PM, Dr. Stephen Henson <[email protected]> wrote: <snip: smime content-type x-blah, fixed> >./openssl smime -nooldmime -sign <snip> -signer cert.pem -inkey key.pem >However, I have [verify] errors (I'm using CAfile). With 1.0.1c >is not working, while 0.9.8 it is: >./openssl smime -verify -CAfile cert.pem -in message.txt.withCType.signed >Verification failure >2897402476:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error: >pk7_smime.c:342:Verify error:unable to get local issuer certificate >openssl smime -verify -CAfile cert.pem -in message.txt.withCType.signed <snip> >Verification successful Does cert.pem actually contain both your entity cert and "your" CA cert (i.e. the cert of the CA that issued your entity cert -- could be a public or external CA or could be one you did yourself)? If not, then supplying it for -CAfile is useless, and since you didn't specify -CApath, smime will look in openssl's default trust-dir, which depending on build options might be in different places, and if same (or different) as Dr Henson said 1.0.0 and later needs a different hash for the filename(s). What do openssl version -d and ./openssl version -d show? Do you have environment variable SSL_CERT_DIR set? For that dir or each of those dirs, does it contain a file that is your CA cert? If so, named or linked as what hash? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
