Thanks, this seems to work pretty good. I read that with a PKCS7 file, there was the option of having one or more co-signers. So I sign the file, send it to someone else, and they co-sign the file and then send it to a third party who is then able to verify it with the root CA.
I can't seem to figure out howto get co-signing to work. The openssl Documentation says there is a "smime -resign" function, but my version doesn't seem to include it ( 0.9.8g is the signer version and 0.9.7f is the verifying version) Is co-signing available in openssl? Thanks. On Mon, Dec 15, 2008 at 12:07 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Mon, Dec 15, 2008 at 12:40:39PM -0500, Victor Duchovni wrote: > > > On Mon, Dec 15, 2008 at 11:37:04AM -0600, Mike J wrote: > > > > > It looks like the smime utility is what I'm looking for, however I'm > running > > > into issues with it. > > > I'm working with binary files here, some that could potentially be > 50MB. > > > > > > I create the signed file with: > > > openssl smime -sign -in file.bin -binary -signer cert.crt -inkey > > > ./private.pem -out file.bin.signed > > > > You forgot "-outform DER" or "-outform PEM" (whichever is required by > > the consuming application). > > You'll also need "-nodetach", if you want the PKCS#7 file to include > the content, rather than just contain a detached signature. If your > certificate is signed by an intermediate CA, you'll also need -certfile, > which should contain the intermediate CA certs, and optionally the root > CA cert. > > > > Seems to work. I then try to verify it with: > > > openssl smime -verify -in file.bin.signed -out file.bin.orig > > > > Don't forget "-inform DER" or "-inform PEM". > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
