2

I am getting emails with smime.p7s attachments. when I look at my mail on my Linux box, I can see base64 encoded block in mail body. I can extract that block and open it on Windows using certmgr and everything looks ok.

I need to verify this certificate that I extracted to a file for

  • CA path
  • CRLs
  • expiration

I want to perform all the task on linux using a script. How can I use openssl or some other command to do this?

Xander
  • 35,525
  • 27
  • 113
  • 141
user1231737
  • 21
  • 2

2 Answers2

2

Openssl has all the command-line utilities you need.

It can work on x509 certificates and can also deal directly with S/MIME content. The verify utility is specifically for doing certificate chain validation, but that function is also built in to the S/MIME utility.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Thanks for reply. Yes I am planning to use openssl to perform the tasks. However, currently, openssl don't like the format that I extract from mail command. That's where I need help :-(, e.g. my file starts with MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIJNGTCCBcow ggOyoAMCAQICBACYlowwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0 Thanks S – user1231737 Jan 04 '13 at 17:12
1

You want to use the openssl cms command:

openssl cms -verify -in somemail.eml

Note that the verification is done on the .eml file — not the smime.p7s attachment (the file beginning with “MIAGCSqGSIb3DQEHAqC”).

For CRL checking, take a look at the -crl_check and -crl_check_all parameters.

To specify the CA certs to check against, use the -CApath or -CAfile parameters.

Finally, if you want to manually inspect the certificates yourself (like with certmgr) you could use the -certsout parameter:

openssl cms -verify -certsout chain.crt -in someemail.eml
openssl x509 -in chain.crt -text

If there is more than one cert in chain.crt, you can split them apart manually into separate files, so you can inspect each one individually with openssl x509.

Community
  • 1
Michael Kropat
  • 113
  • 6