Hi Christian, > The way is correct, but HARICA has a seperate certificate chain for > S/MIME certificates. > Therefore you need not the ones from your firefox browser. > > You can download the chain from HARICA itself. > I added them as attachments, but don't know if they go through this list. > Then seperate them into single intermediate certificates, and place them > into /usr/local/share/ca-certificates. > Now you can run update-ca-certificates and are done.
Thanks for your help and yes, I received the attached certificate files via the list. Just adding them to the server and running update-ca-certificates, didn't seem to work. "Digital signature is not valid" when I click on a HARICA-signed message. I checked if what you have sent is actually used in the smime.p7s signature file, which I have downloaded from a signed email message as follows. 1. Extract certs from SMIME certificate file: $ openssl pkcs7 -in smime.p7s -inform der -print_certs -out signer_certs.pem Check it's "OK": $ openssl x509 -in signer_certs.pem -noout -issuer -nameopt RFC2253 issuer=CN=HARICA S/MIME RSA,O=Hellenic Academic and Research Institutions CA,C=GR 2. $ cat HARICA-GEANT-SMIME-R1.crt HARICA-SMIME-RSA.crt signer_certs.pem > intermediate_bundle.pem 3. Check that the downloaded certificate files are the ones actually used in the SMIME certificate file: $ openssl verify -CAfile HARICA-Client-Root-2021-RSA.crt -untrusted intermediate_bundle.pem signer_certs.pem signer_certs.pem: OK Yes, they are. Yet, when I restart the sogo service and look at the signed message, I get the above error. Again, I'm sure, I'm missing something obvious, but I'm running out of ideas where to look or what to try next. Thanks in advance & best wishes, Andreas.
