On Sun, Jul 30, 2006 at 12:13:28PM +0200, Christoph Ludwig wrote: | | On Fri, Jul 28, 2006 at 07:36:28PM +0400, Anatoly Pugachev wrote: | > On Thu, Jul 27, 2006 at 12:03:10PM +0200, Christoph Ludwig wrote: | > | On Wed, Jul 26, 2006 at 04:04:03PM +0400, Anatoly Pugachev wrote: | > | > Can someone help me with importing thawte free email smime certificate into | > | > mutt ? I'm getting error trying to do that on mutt-1.5.12 : | > | > | > | > $ smime_keys init | > | > $ smime_keys add_p12 cert.p12 | > | > | > | > NOTE: This will ask you for two passphrases: | > | > 1. The passphrase you used for exporting | > | > 2. The passphrase you wish to secure your private key with. | > | > | > | > Enter Import Password: | > | > MAC verified OK | > | > Enter PEM pass phrase: | > | > Verifying - Enter PEM pass phrase: | > | > Couldn't identify root certificate! | > | > No root and no intermediate certificates. Can't continue. at | > | > /usr/local/bin/smime_keys line 668. | [...] | > | Did you check that Thawte's root certificate is in ca-bundle.crt? Otherwise | > | you can simply append it. | > | > $ grep -ci thawte .smime/ca-bundle.crt | > 18 | > | > and also i have following in it : | > | > Thawte Personal Freemail CA | > =========================== | > MD5 Fingerprint: 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 | > | > any futher help? | | I can only speculate then. From a cursory look into smime_keys I gathered that | the subroutine handle_pem(@) - which is called after smime_keys extracted the | p12 file - expects the whole certificate chain in its input. (Beware, it's | been years since I programmed in Perl, so I may be wrong!) Perhaps the p12 | file you got from Thawte contains only your key and your certificate, but not | the CA certificate? In this case you may generate a new p12 file with | openssl. ahh, yes! my cert.p12 was not including CA certificate. i copied "Thawte Personal Freemail CA" into another file and used following to merge certs: $ cp cert.p12 cert.p12-orig # save a backup copy $ openssl pkcs12 -in cert.p12 -out file.pem -nodes $ openssl pkcs12 -export -in file.pem -out cert.p12 -certfile ca-thawte.crt then smime_keys finished successfully and i'm able to use smime signing. Thanks a lot! I've no idea why IE/FireFox is exporting user certificates with no CA cert included. And while looking for a solution on google (smime_keys) found some people where complaining about same problem as me. Maybe it's should be added into smime_notes.txt that file cert.p12 should have also CA certificate included and how to check that with openssl (openssl pkcs12 -in cert.p12 -cacerts -nokeys # should have some output with Thawte) | If all fails you can still add your keypair manually. After all, the key | and certificate "databases" are simply directories in which each key (or | certificate, respectively) is stored as a PEM file named <hash>.<counter> | where <hash> is the 8 hex-digits long hash of the certificate (or the | certificate belonging to this key) and <counter> is, well, a counter used to | disambiguate certs with the same hash (e.g., if you prolongued your | certificate). The openssl p12 and x509 commands let you easily extract the | certificate and key from your p12 file and determine the necessary hash | value. | | BTW, I find the GPGME crypto backend more convenient to use. It's only | drawback (for me) is that it cannot decrypt S/MIME mails sent by thunderbird | users because the underlying crypto library does not handle RC4. For such | emails I have to use thunderbird myself or fall back to mutt's "classic" | S/MIME backend that calls the openssl command line tools. | | HTH | | Christoph -- Anatoly Pugachev
Attachment:
smime.p7s
Description: S/MIME cryptographic signature