I wanted to use a certificate to verify an e-mail. While Mozilla has no problem with that, OpenSSL 0.9.7a Feb 19 2003 :
openssl smime -verify -CAfile cacert.pem -in smimetest -signer 12.pem
Verification failure 26660:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:222:Verify error:unsupported certificate purpose
Google says nothing about smime "unsupported certificate purpose" and just a manual page for s/mime "unsupported certificate purpose"
What is technically wrong with a certificate like this?
[ new_oids ] cl8021x = 1.3.6.1.5.5.7.3.2 se8021x = 1.3.6.1.5.5.7.3.1
[ usr_cert ] basicConstraints=CA:FALSE nsCertType = client, email, objsign keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = cl8021x nsComment = "EXPERIMENTAL User Certificate" nsCaRevocationUrl = http://www.vsb.cz/cgi-bin/CA/CRLload.pl/002/cacrl.crt crlDistributionPoints = URI:http://www.vsb.cz/cgi-bin/CA/CRLload.pl/002 /cacrl.crt subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always
The certificates are available at
http://www.vsb.cz/cgi-bin/CA/CAload.pl/002/cacert.crt http://www.vsb.cz/cgi-bin/CA/Userload.pl/002/12.crt
The signed file at
http://homel.vsb.cz/~dol72/smimetest
Thanks in advance!
Ivan Dolezal
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]