Hi,
Stefan asked on my behalf. The problem was the misleading GUI and
reading the texts also helped. The first, wrong, try was to import the
certificate with "Import certificates" where the help text reads:
--------------------------------------------------------------------
On this page, certificates can be imported. In most cases, imported
certificate are the certificates of external recipients or, certificates
from trusted CAs (intermediate and root certificates). Multiple
certificates can be imported at the same time from a pem or p7b encoded
file.
--------------------------------------------------------------------
If read, this implies that NO key gets imported as PKCS7 does not
contain it. What fixes this is "Import Private Keys". And this is where
the GIU is misleading. The help text reads:
--------------------------------------------------------------------
On this page, private keys and their associated certificates can be
imported. In most cases, imported keys and the associated certificates
are for internal users only. The keys are used for S/MIME signing of
outgoing email and for the decryption of incoming S/MIME encrypted
email. Keys from password protected pfx or p12 files can be imported.
--------------------------------------------------------------------
Bingo. Here PKCS12 files containing the certificate AND the key can be
imported and not only keys. Misleading is that "Import Private Keys"
does not only import keys but also certificates. Doing so fixed every
thing. The imported certificate could now be used for signing:
Private Key Available true
Private Key Accessible true
I suggest to allow PKCS12 in "Import certificates" also. This seems to
me to be more consistent. All CAs I know ship their s/MIME certificates
as PKCS12. I can't imagine any use case for importing a key for a s/MIME
certificate separately.
IMHO "Import Private Keys" has a minor bug. My PKCS12 files also contain
the complete certificate chain. The root and intermediate certificate
also get imported in "Certificates" instead into "Roots" where they IMHO
belong. I've imported the root and intermediate certificate into
"Roots", but I'm not sure if this is necessary or correct. At least it
was no harm.
Regards
Matthias
Am 16.03.2016 um 09:43 schrieb Stefan Michael Guenther:
Hello,
in our Ciphermail installation I have two certificates for my email address:
One created by StartSSL and one created by the CA of Ciphermail .
The StartSSL certificate lists as KeyUsage "keyEncipherment, dataEncipherment,
digitalSignature" and the local CA "keyEncipherment, digitalSignature".
But in the user profile, when I choose "S/MIME -> signing certificate" the
system only offers the local certificate.
Even in an account that only has the StartSSL certificate, this is not offered
for signing.
What could be the reason for that?
Regards,
Stefan
_______________________________________________
Users mailing list
[email protected]
https://lists.djigzo.com/lists/listinfo/users
--
MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany
voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: [email protected]
HR Coburg: B2242
Geschäftsführer: Matthias Henze
_______________________________________________
Users mailing list
[email protected]
https://lists.djigzo.com/lists/listinfo/users
