Home/ Questions/Q 8652305
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T14:16:44+00:00

I have a certificate C.pfx that was given to me to work with OpenSSL.

  • 0

I have a certificate C.pfx that was given to me to work with OpenSSL. The certificate C.pfx has the following Certification path: C->B->A

I converted C.pfx to PEM using the following command:
openssl pkcs12 -in C.pfx -out C.pem -nodes — WORKS OK

I opened the certificate C.pem in the file editor and see that it has both RSA PRIVATE KEY and CERTIFICATE parts.

I also see both A and B certificates installed under Trusted Roor Certification Athorities store in Windows XP.

The goal is to sign, encrypt, decrypt and verify a test file using OpenSSL for Windows version 1.0.1c (it’s currently the latest version)

I use the following commands:

–TO SIGN–

openssl smime -sign -signer C.pem -in test.txt -out test.tmp    -- WORKS OK

–TO ENCRYPT–

openssl smime -encrypt -in test.tmp -out test.enc C.pem     -- WORKS OK

–TO DECRYPT–

openssl smime -decrypt -in test.enc -recip C.pem -inkey C.pem -out test1.tmp    -- WORKS OK

–TO VERIFY–

openssl smime -verify -in test1.tmp -CAfile "C.pem" -out notes1.txt -- FAILS

I used MMC console to export B and A certificates to CER files and then converted them to PEM using OpenSSL. After that I tried the following 2:

openssl smime -verify -in test1.tmp -CAfile "A.pem" -out notes1.txt -- FAILS

openssl smime -verify -in test1.tmp -CAfile "B.pem" -out notes1.txt -- FAILS

All 3 attempts to VERIFY failed with the following error:

Verification failure
3672:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypt
o\pkcs7\pk7_smime.c:342:Verify error:unable to get local issuer certificate

What am I doing wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When you use openssl smime -verify openssl attempts to verify that the certificate it is to use is trusted by checking its signature (that’s the signature in the certificate, not the signature in the signed message that you asked to verify). To do that it has to have a copy of the certificate for the key of the CA that issued the certificate.

    The -CAfile parameter is used to pass the name of the file containing that CA certificate, NOT the certificate of the key used to sign the message. You would specify the certficiate of the key used to sign the message with a -certfile parameter … but in your case the certificate will be in the test.tmp file (you can suppress that by specifying -nocerts when you sign the message).

    To suppress the checking of the key certificate when verifying a message you can supply the -noverify parameter to the verify command (though openssl smime -verify -noverify does look a bit weird).

    • 0