[rescue] S/MIME and mutt

Stuff Received stuff at riddermarkfarm.ca
Mon Jul 21 01:01:00 UTC 2025 

On 2025-07-20 20:49, Grant Taylor via rescue wrote:
> On 7/18/25 8:53 AM, Phil Stracchino via rescue wrote:
>> mutt correctly detects, extracts and processes the signature, but is 
>> unable to validate the certificate.
> 
> My supposition based on other parts of the thread and my own testing is 
> that something in the certificate chain between your frequent 
> correspondent's S/MIME leaf certificate and a root CA that your system 
> trusts is missing.
> 
> Pursuant to this thread, I was able to successfully do an `openssl smime 
> -verify ...` for my own message to myself.
> 
> However an `openssl validate` on the cert extracted by the `openssl 
> smime -verify ...` command initially failed an `openssl validate ...` 
> command.
> 
> When I looked at my S/MIME certificate, extracted by the `openssl smime 
> -verify ...` command, with the following `openssl x509 ...` command, I 
> found that I was missing an intermediate certificate in my 
> /etc/ssl/certs folder.
> 
>     openssl x509 -noout -subject -subject_hash -ext subjectAltName 
> -dates -serial -issuer -issuer_hash -in test.pem
> 
> I ran the following command and found that I didn't have the requisite 
> intermediate certificate:
> 
>     find /etc/ssl/certs -iname '*e423f384*'
> 
> So I went out to my S/MIME provider to find and download their 
> intermediate certificate.
> 
> I did already have the root certificate that signed the intermediate 
> certificate.
> 
> The same x509 command thereon showed that it had the requisite hash; 
> e423f384.  So I copied the file to my /etc/ssl/certs directory and 
> created the sym-link using the hash name; e423f384.0 to the certificate 
> I just installed.
> 
> After putting the intermediate certificate in place, the `openssl 
> validate ...` command successfully validated my S/MIME certificate.
> 
> Some comments on my observations about `openssl smime -verify` vs 
> `openssl verify`.
> 
> It seems as if `openssl smime -verify` checks the syntax & signature of 
> the email using the certificate in the signature.
> 
> Conversely it seems as if `openssl verify` checks to see if the 
> certificate has a chain up to a known & trusted root certificate.
> 
> I'm not surprised that my system didn't have the requisite intermediate 
> certificate in /etc/ssl/certs as I don't do much with S/MIME at the 
> command line or via OpenSSL directly.  Rather just about all of the 
> S/MIME work that I do is in my email clients.  And my email clients have 
> their own set of trusted root and intermediate certificate store.

One further note is to check whether your openssl has the same 
cryptosystems installed as your correspondent.  (If I remember 
correctly, not all installations have all the systems installed.)

S.

More information about the rescue mailing list