I have a certificate C.pfx that was given to me to work with OpenSSL. The certificate C.pfx has the following Certification path: C->B->A
I converted C.pfx to PEM using the following command: openssl pkcs12 -in C.pfx -out C.pem -nodes -- WORKS OK
I opened the certificate C.pem in the file editor and see that it has both RSA PRIVATE KEY and CERTIFICATE parts.
I also see both A and B certificates installed under Trusted Roor Certification Athorities store in Windows XP.
The goal is to sign, encrypt, decrypt and verify a test file using OpenSSL for Windows version 1.0.1c (it's currently the latest version)
I use the following commands:
--TO SIGN--
openssl smime -sign -signer C.pem -in test.txt -out test.tmp -- WORKS OK
--TO ENCRYPT--
openssl smime -encrypt -in test.tmp -out test.enc C.pem -- WORKS OK
--TO DECRYPT--
openssl smime -decrypt -in test.enc -recip C.pem -inkey C.pem -out test1.tmp -- WORKS OK
--TO VERIFY--
openssl smime -verify -in test1.tmp -CAfile "C.pem" -out notes1.txt -- FAILS
I used MMC console to export B and A certificates to CER files and then converted them to PEM using OpenSSL. After that I tried the following 2:
openssl smime -verify -in test1.tmp -CAfile "A.pem" -out notes1.txt -- FAILS
openssl smime -verify -in test1.tmp -CAfile "B.pem" -out notes1.txt -- FAILS
All 3 attempts to VERIFY failed with the following error:
Verification failure
3672:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypt
o\pkcs7\pk7_smime.c:342:Verify error:unable to get local issuer certificate
What am I doing wrong?
When you use openssl smime -verify
openssl attempts to verify that the certificate it is to use is trusted by checking its signature (that's the signature in the certificate, not the signature in the signed message that you asked to verify). To do that it has to have a copy of the certificate for the key of the CA that issued the certificate.
The -CAfile
parameter is used to pass the name of the file containing that CA certificate, NOT the certificate of the key used to sign the message. You would specify the certficiate of the key used to sign the message with a -certfile
parameter ... but in your case the certificate will be in the test.tmp
file (you can suppress that by specifying -nocerts
when you sign the message).
To suppress the checking of the key certificate when verifying a message you can supply the -noverify
parameter to the verify command (though openssl smime -verify -noverify
does look a bit weird).