<<< Date Index >>>     <<< Thread Index >>>

Re: smime_keys doesn't work on 1.5.x for me



On Sun, Jul 30, 2006 at 12:13:28PM +0200, Christoph Ludwig wrote:
| 
| On Fri, Jul 28, 2006 at 07:36:28PM +0400, Anatoly Pugachev wrote:
| > On Thu, Jul 27, 2006 at 12:03:10PM +0200, Christoph Ludwig wrote:
| > | On Wed, Jul 26, 2006 at 04:04:03PM +0400, Anatoly Pugachev wrote:
| > | > Can someone help me with importing thawte free email smime certificate 
into
| > | > mutt ? I'm getting error trying to do that on mutt-1.5.12 :
| > | > 
| > | > $ smime_keys init
| > | > $ smime_keys add_p12 cert.p12
| > | > 
| > | > NOTE: This will ask you for two passphrases:
| > | >        1. The passphrase you used for exporting
| > | >        2. The passphrase you wish to secure your private key with.
| > | > 
| > | > Enter Import Password:
| > | > MAC verified OK
| > | > Enter PEM pass phrase:
| > | > Verifying - Enter PEM pass phrase:
| > | > Couldn't identify root certificate!
| > | > No root and no intermediate certificates. Can't continue. at
| > | > /usr/local/bin/smime_keys line 668.
| [...]
| > | Did you check that Thawte's root certificate is in ca-bundle.crt? 
Otherwise
| > | you can simply append it.
| > 
| > $ grep -ci thawte .smime/ca-bundle.crt 
| > 18
| > 
| > and also i have following in it :
| > 
| > Thawte Personal Freemail CA
| > ===========================
| > MD5 Fingerprint: 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
| > 
| > any futher help?
| 
| I can only speculate then. From a cursory look into smime_keys I gathered that
| the subroutine handle_pem(@) - which is called after smime_keys extracted the
| p12 file - expects the whole certificate chain in its input. (Beware, it's
| been years since I programmed in Perl, so I may be wrong!) Perhaps the p12
| file you got from Thawte contains only your key and your certificate, but not
| the CA certificate? In this case you may generate a new p12 file with
| openssl. 

ahh, yes! my cert.p12 was not including CA certificate.
i copied "Thawte Personal Freemail CA" into another file and used
following to merge certs:

$ cp cert.p12 cert.p12-orig # save a backup copy
$ openssl pkcs12 -in cert.p12 -out file.pem -nodes
$ openssl pkcs12 -export -in file.pem -out cert.p12 -certfile ca-thawte.crt

then smime_keys finished successfully and i'm able to use smime signing.
Thanks a lot!

I've no idea why IE/FireFox is exporting user certificates with no CA cert
included.

And while looking for a solution on google (smime_keys) found some people
where complaining about same problem as me. Maybe it's should be added into
smime_notes.txt that file cert.p12 should have also CA certificate
included and how to check that with openssl (openssl pkcs12 -in cert.p12
-cacerts -nokeys # should have some output with Thawte)

| If all fails you can still add your keypair manually. After all, the key
| and certificate "databases" are simply directories in which each key (or
| certificate, respectively) is stored as a PEM file named <hash>.<counter>
| where <hash> is the 8 hex-digits long hash of the certificate (or the
| certificate belonging to this key) and <counter> is, well, a counter used to
| disambiguate certs with the same hash (e.g., if you prolongued your
| certificate). The openssl p12 and x509 commands let you easily extract the
| certificate and key from your p12 file and determine the necessary hash
| value. 
| 
| BTW, I find the GPGME crypto backend more convenient to use. It's only
| drawback (for me) is that it cannot decrypt S/MIME mails sent by thunderbird
| users because the underlying crypto library does not handle RC4. For such
| emails I have to use thunderbird myself or fall back to mutt's "classic"
| S/MIME backend that calls the openssl command line tools.
| 
| HTH
| 
| Christoph

-- 
Anatoly Pugachev

Attachment: smime.p7s
Description: S/MIME cryptographic signature