<<< Date Index >>>     <<< Thread Index >>>

Re: Difficulties adding startssl S/MIME certificate



On Sat, Sep 11, 2010 at 04:01:27PM +0200, Remco Rijnders wrote:
> I'm hoping to use an S/MIME certificate issued by StartSSL to sign and
> encrypt my mail. When trying to add the certificate I get the following
> error:
> 
> remmy@silvertown:~$ smime_keys add_p12 startssl.cert.p12
> 
> NOTE: This will ask you for two passphrases:
>        1. The passphrase you used for exporting
>        2. The passphrase you wish to secure your private key with.
> 
> Enter Import Password:
> MAC verified OK
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> Couldn't identify root certificate!
> No root and no intermediate certificates. Can't continue. at
> /usr/bin/smime_keys line 708.

Having investigated and experimented further, I've been able to solve this
problem. I've requested a new certificate for an alternate email address
from StartSSL and saved it to and exported it from firefox (iceweasel).

Trying to add this new certificate with smime_keys worked out of the box!

It seems that the .p12 files I had generated from Apple's keychain
application were missing the root and/or intermediate certificates from
the bundle. This also explains why I had this problem with all
certificates I tried to load.

With this new knowledge, I was also able to create and validly add my old
keys for signing and decrypting to mutt.

That said, given that I was able to manually get my keys working, I think
perhaps smime_keys is being too harsh on refusing to load files without a
root certificate chain? Both thunderbird and firefox accept these
certificates without complaint.

Sincerely,

Remco Rijnders

Attachment: signature.asc
Description: Digital signature