Kate Wang wrote: > > Hi, all, > > It seems to me that for SMIME siganture verification, ALL CA certificates > (including root and intermediate CAs) have to be included in the CA file > specified in -CAfile option. I don't really understand why this should be > enforced. In earlier version of OpenSSL there is an option -NOCHAIN for > verification, but it seems to me that it has been removed in OpenSSL 0.9.6a. > Does anybody know the reason? > Only the root CA and any intermediate CAs missing in the message need to be included. > If the intermediate CA certificates is included in the signature, why do I > have to put intermediate CA certs in the CA files again? Do I have a work > arround for this? > > During the signature verification process, I also want to check the signer > cert included in the signature matches a cert installed in my system. Does > anyone know what is the best way to do this? If I specify -nointern and > -certfile like following the proper way to do this? > > openssl smime -verify -nointern -certfile usercert.pem -CAfile cafile.pem > -in signature > That should be OK. If you include -noverify as well you don't actually need the CA certificate in this case because the -certfile certificates are trusted. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]