On Tue, Nov 09, 2010, Jens Lechtenboerger wrote: > Hi there, > > I received an SMIME certificate and want to know the correct > filename to use in the command "openssl smime -verify -CAfile > <filename>..." >
The hash based filename doesn't apply to the -CAfile option: you can name the file anything you want. It does apply to -CApath > In my particular example, > openssl x509 -in smime.pem -issuer_hash -noout > results in 9ec3a561. However, if I use that certificate (available > as /etc/ssl/certs/9ec3a561.0 on my system) then verification fails. > What is issuer_hash good for? > > Running strace on "openssl smime -verify" with the preinstalled list > of certificates shows that /etc/ssl/certs/75680d2e.0 is the CAfile > necessary for validation. What is the recommended way to find the > hash value 75680d2e? > Note the hash algorithm changed from OpenSSL 0.9.8 and 1.0.0 so be careful you aren't using different versions for the hash calculation and the verification. The usual reason for a different hash is that it isn't the correct issuer certificate. If you do: openssl x509 -in smime.pem -issuer -noout it should match: openssl x509 -in ca.pem -subject -noout Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
