Menu
I have a certificate C.pfx that was given to me to work with OpenSSL. The certificate C.pfx has the following Certification path: C->B->A
I converted C.pfx to PEM using the following command: openssl pkcs12 -in C.pfx -out C.pem -nodes -- WORKS OK
I opened the certificate C.pem in the file editor and see that it has both RSA PRIVATE KEY and CERTIFICATE parts.
I also see both A and B certificates installed under Trusted Roor Certification Athorities store in Windows XP.
The goal is to sign, encrypt, decrypt and verify a test file using OpenSSL for Windows version 1.0.1c (it's currently the latest version)
I use the following commands:
--TO SIGN--
openssl smime -sign -signer C.pem -in test.txt -out test.tmp -- WORKS OK
--TO ENCRYPT--
openssl smime -encrypt -in test.tmp -out test.enc C.pem -- WORKS OK
--TO DECRYPT--
openssl smime -decrypt -in test.enc -recip C.pem -inkey C.pem -out test1.tmp -- WORKS OK
--TO VERIFY--
openssl smime -verify -in test1.tmp -CAfile "C.pem" -out notes1.txt -- FAILS
I used MMC console to export B and A certificates to CER files and then converted them to PEM using OpenSSL. After that I tried the following 2:
openssl smime -verify -in test1.tmp -CAfile "A.pem" -out notes1.txt -- FAILS
openssl smime -verify -in test1.tmp -CAfile "B.pem" -out notes1.txt -- FAILS
All 3 attempts to VERIFY failed with the following error:
Verification failure
3672:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypt
o\pkcs7\pk7_smime.c:342:Verify error:unable to get local issuer certificate
What am I doing wrong?
865
When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store. Open the file ca-bundle. crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file.
For instance, the trusted certificate store directory for Git Bash is C:\Program Files\Git\mingw64\ssl\certs.
When you use openssl smime verify openssl attempts to verify that the certificate it is to use is trusted by checking its signature (that's the signature in the certificate, not the signature in the signed message that you asked to verify). To do that it has to have a copy of the certificate for the key of the CA that issued the certificate.
The -CAfile parameter is used to pass the name of the file containing that CA certificate, NOT the certificate of the key used to sign the message. You would specify the certficiate of the key used to sign the message with a -certfile parameter ... but in your case the certificate will be in the test.tmp file (you can suppress that by specifying -nocerts when you sign the message).
To suppress the checking of the key certificate when verifying a message you can supply the -noverify parameter to the verify command (though openssl smime verify -noverify does look a bit weird).
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
