On May 14, 2008 08:05:30 am Viresh Singh wrote: > Hi > I am trying to create a certificate authority. I am trying secure emails > from my clients to my server. The client certificates import fine. Trying > to send a signed email work fine but encrypting the email does not. It > states that the intended recipient has missing or invalid certificates, or > conflicting or unsupported encryption capabilities. I am using openssl > version 0.9.8g, using Microsoft Outlook as the email client. Any help will > much be appreciated. > > First of all, when doing S/MIME, you need to have two certificates - one for signing, and one for encryption. This is because you will probably want to escrow the encryption key (you want to make backups of the key and/or have your employer be able to read your email if they have to fulfill a SOX or other governance request, right?), but not the signature key (since no-one should ever be able to impersonate you).
Next, you need to have the right keyUsage and subjectAltName values set for those two different types of certificate. For Signing, the following should work: KU: digitalSignature For Encryption, the following should work: KU: keyEncipherment, dataEncipherment If you wish, you can also add in the SMIME specific EKU to both of these: EKU: emailProtection And, lastly, you also need to make sure that the email address appears in the SubjectAltName as an attribute of type email For an example of how to set up a CA to do all of this, take a look at: http://www.carillon.ca/library/howtos.php -> How to Set Up an OpenSSL TEST CA for Interoperability Testing with CertiPath This has a quite a full description of how to set up the various profiles that are required for Identity, Signature and Encryption. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
