Re: smime: unsupported certificate purpose

Wed, 04 Jun 2003 03:56:17 -0700 

On Tue, Jun 03, 2003, Ivan Doleľal wrote:

> Hello,
> 
> I wanted to use a certificate to verify an e-mail. While Mozilla has no 
> problem with that, OpenSSL 0.9.7a Feb 19 2003 :
> 
> openssl smime -verify -CAfile cacert.pem -in smimetest -signer
> 12.pem
> 
> Verification failure
> 26660:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:222:Verify
> error:unsupported certificate purpose
> 
> Google says nothing about
> smime "unsupported certificate purpose"
> and just a manual page for
> s/mime "unsupported certificate purpose"
> 
> 
> What is technically wrong with a certificate like this?
> 
> [ new_oids ]
> cl8021x = 1.3.6.1.5.5.7.3.2
> se8021x = 1.3.6.1.5.5.7.3.1
> 
> [ usr_cert ]
> basicConstraints=CA:FALSE
> nsCertType = client, email, objsign
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage = cl8021x
> nsComment = "EXPERIMENTAL User Certificate"
> nsCaRevocationUrl = http://www.vsb.cz/cgi-bin/CA/CRLload.pl/002/cacrl.crt
> crlDistributionPoints = URI:http://www.vsb.cz/cgi-bin/CA/CRLload.pl/002
> /cacrl.crt
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer:always
> 
> 
> The certificates are available at
> 
> http://www.vsb.cz/cgi-bin/CA/CAload.pl/002/cacert.crt
> http://www.vsb.cz/cgi-bin/CA/Userload.pl/002/12.crt
> 
> The signed file at
> 
> http://homel.vsb.cz/~dol72/smimetest
> 
> 

This purpose checking is mentioned on the verify page.

The extended key usage line above seems garbled, but from your link it looks
like you are just including client authentication. For S/MIME use you need
emailProtection as well.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to