On 2010-11-09, Dr. Stephen Henson wrote: > On Tue, Nov 09, 2010, Jens Lechtenboerger wrote: > >> Hi there, >> >> I received an SMIME certificate and want to know the correct >> filename to use in the command "openssl smime -verify -CAfile >> <filename>..." >> > > The hash based filename doesn't apply to the -CAfile option: you can name the > file anything you want. > > It does apply to -CApath
Thank you for your quick reply, my fault. I meant to use that option. The problem below remains, however. >> In my particular example, >> openssl x509 -in smime.pem -issuer_hash -noout >> results in 9ec3a561. However, if I use that certificate (available >> as /etc/ssl/certs/9ec3a561.0 on my system) then verification fails. >> What is issuer_hash good for? >> >> Running strace on "openssl smime -verify" with the preinstalled list >> of certificates shows that /etc/ssl/certs/75680d2e.0 is the CAfile >> necessary for validation. What is the recommended way to find the >> hash value 75680d2e? >> > > Note the hash algorithm changed from OpenSSL 0.9.8 and 1.0.0 so be careful you > aren't using different versions for the hash calculation and the verification. I retried on the command line with: OpenSSL 0.9.8k 25 Mar 2009 > The usual reason for a different hash is that it isn't the correct issuer > certificate. > > If you do: > > openssl x509 -in smime.pem -issuer -noout I find: issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email > it should match: > > openssl x509 -in ca.pem -subject -noout I get: openssl x509 -in 75680d2e.0 -subject -noout subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services which does not match. (Besides, -subject_hash results in 75680d2e.) However: openssl x509 -in 9ec3a561.0 -subject -noout subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email (-subject_hash results in 9ec3a561.) Surprisingly, verification succeeds if I put 75680d2e.0 into a separate directory for CApath (although the issuer does not match the subject), it fails with a directory containing only 9ec3a561.0 (where issuer and subject match). Again, with /etc/ssl/certs as CApath, openssl figures out that it needs 75680d2e.0. How? (The displayed issuer does not appear to play any role in that process.) Thanks Jens ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
