Hi, all, It seems to me that for SMIME siganture verification, ALL CA certificates (including root and intermediate CAs) have to be included in the CA file specified in -CAfile option. I don't really understand why this should be enforced. In earlier version of OpenSSL there is an option -NOCHAIN for verification, but it seems to me that it has been removed in OpenSSL 0.9.6a. Does anybody know the reason? If the intermediate CA certificates is included in the signature, why do I have to put intermediate CA certs in the CA files again? Do I have a work arround for this? During the signature verification process, I also want to check the signer cert included in the signature matches a cert installed in my system. Does anyone know what is the best way to do this? If I specify -nointern and -certfile like following the proper way to do this? openssl smime -verify -nointern -certfile usercert.pem -CAfile cafile.pem -in signature Thanks in advance for any help. Kate _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]