[rescue] S/MIME and mutt

Grant Taylor rescue at gtaylor.tnetconsulting.net
Mon Jul 21 00:49:53 UTC 2025 

On 7/18/25 8:53 AM, Phil Stracchino via rescue wrote:
> mutt correctly detects, extracts and processes the signature, but is 
> unable to validate the certificate.

My supposition based on other parts of the thread and my own testing is 
that something in the certificate chain between your frequent 
correspondent's S/MIME leaf certificate and a root CA that your system 
trusts is missing.

Pursuant to this thread, I was able to successfully do an `openssl smime 
-verify ...` for my own message to myself.

However an `openssl validate` on the cert extracted by the `openssl 
smime -verify ...` command initially failed an `openssl validate ...` 
command.

When I looked at my S/MIME certificate, extracted by the `openssl smime 
-verify ...` command, with the following `openssl x509 ...` command, I 
found that I was missing an intermediate certificate in my 
/etc/ssl/certs folder.

    openssl x509 -noout -subject -subject_hash -ext subjectAltName 
-dates -serial -issuer -issuer_hash -in test.pem

I ran the following command and found that I didn't have the requisite 
intermediate certificate:

    find /etc/ssl/certs -iname '*e423f384*'

So I went out to my S/MIME provider to find and download their 
intermediate certificate.

I did already have the root certificate that signed the intermediate 
certificate.

The same x509 command thereon showed that it had the requisite hash; 
e423f384.  So I copied the file to my /etc/ssl/certs directory and 
created the sym-link using the hash name; e423f384.0 to the certificate 
I just installed.

After putting the intermediate certificate in place, the `openssl 
validate ...` command successfully validated my S/MIME certificate.

Some comments on my observations about `openssl smime -verify` vs 
`openssl verify`.

It seems as if `openssl smime -verify` checks the syntax & signature of 
the email using the certificate in the signature.

Conversely it seems as if `openssl verify` checks to see if the 
certificate has a chain up to a known & trusted root certificate.

I'm not surprised that my system didn't have the requisite intermediate 
certificate in /etc/ssl/certs as I don't do much with S/MIME at the 
command line or via OpenSSL directly.  Rather just about all of the 
S/MIME work that I do is in my email clients.  And my email clients have 
their own set of trusted root and intermediate certificate store.



-- 
Grant. . . .

More information about the rescue mailing list