Re: smime_keys doesn't work on 1.5.x for me
On Fri, Jul 28, 2006 at 07:36:28PM +0400, Anatoly Pugachev wrote:
> On Thu, Jul 27, 2006 at 12:03:10PM +0200, Christoph Ludwig wrote:
> | On Wed, Jul 26, 2006 at 04:04:03PM +0400, Anatoly Pugachev wrote:
> | > Can someone help me with importing thawte free email smime certificate
> into
> | > mutt ? I'm getting error trying to do that on mutt-1.5.12 :
> | >
> | > $ smime_keys init
> | > $ smime_keys add_p12 cert.p12
> | >
> | > NOTE: This will ask you for two passphrases:
> | > 1. The passphrase you used for exporting
> | > 2. The passphrase you wish to secure your private key with.
> | >
> | > Enter Import Password:
> | > MAC verified OK
> | > Enter PEM pass phrase:
> | > Verifying - Enter PEM pass phrase:
> | > Couldn't identify root certificate!
> | > No root and no intermediate certificates. Can't continue. at
> | > /usr/local/bin/smime_keys line 668.
[...]
> | Did you check that Thawte's root certificate is in ca-bundle.crt? Otherwise
> | you can simply append it.
>
> $ grep -ci thawte .smime/ca-bundle.crt
> 18
>
> and also i have following in it :
>
> Thawte Personal Freemail CA
> ===========================
> MD5 Fingerprint: 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
>
> any futher help?
I can only speculate then. From a cursory look into smime_keys I gathered that
the subroutine handle_pem(@) - which is called after smime_keys extracted the
p12 file - expects the whole certificate chain in its input. (Beware, it's
been years since I programmed in Perl, so I may be wrong!) Perhaps the p12
file you got from Thawte contains only your key and your certificate, but not
the CA certificate? In this case you may generate a new p12 file with
openssl.
If all fails you can still add your keypair manually. After all, the key
and certificate "databases" are simply directories in which each key (or
certificate, respectively) is stored as a PEM file named <hash>.<counter>
where <hash> is the 8 hex-digits long hash of the certificate (or the
certificate belonging to this key) and <counter> is, well, a counter used to
disambiguate certs with the same hash (e.g., if you prolongued your
certificate). The openssl p12 and x509 commands let you easily extract the
certificate and key from your p12 file and determine the necessary hash
value.
BTW, I find the GPGME crypto backend more convenient to use. It's only
drawback (for me) is that it cannot decrypt S/MIME mails sent by thunderbird
users because the underlying crypto library does not handle RC4. For such
emails I have to use thunderbird myself or fall back to mutt's "classic"
S/MIME backend that calls the openssl command line tools.
HTH
Christoph
--
FH Worms - University of Applied Sciences
Fachbereich Informatik / Telekommunikation
Erenburgerstr. 19, 67549 Worms, Germany