Mahesh Anantharaman wrote:
>
> Hi
>
> Thanks a lot for your help. I converted the .p7c to .pem using this
> openssl pkcs7 -in key.p7c -inform DER -print_certs
> And I am trying to verify. I am getting Verification failure.
> Why!!! . What should I do.
> thanks
> regards
> mahesh
>
> D:\mananth\ssl\ssl_test\Debug>openssl smime -verify -CAfile rallen.pem
> -CApath
> . -in rallen.eml
> Verification Failure
> 760:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> error:.\crypto
> \pkcs7\pk7_smime.c:213:Verify error:self signed certificate in certificate
> chain
>
> D:\mananth\ssl\ssl_test\Debug>openssl smime -verify -nochain -CAfile
> rallen.pem
> -CApath . -in rallen.eml
> Verification Failure
> 848:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> error:.\crypto
> \pkcs7\pk7_smime.c:213:Verify error:unable to get local issuer certificate
First thing to note is that -CApath isn't much use under Windows.
Instead you need add all the root CA certificates you trust into a file
and then use the -CAfile argument. Some S/MIME software doesn't include
the root CA in a message since it isn't strictly necessary. There's some
root CAs in the 'certs' directory of OpenSSL. For example if this is the
Verisign class 1 CA then its in the file "vsign1.pem".
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
