[imp] s/mime help

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Feb 20 23:04:12 PST 2003 

Hello Marcos Monge,

======= At 2003-02-20, 22:03:00 you wrote: =======

>Alexander Dalloz wrote:
>
>>Hello Marcos Monge,
>>  
>>
>>>I have instaled horde/imp cvs HEAD for testing s/mime support.
>>>
>>>I have all working, but I have some problems with certificates.
>>>
>>>Imp support only pkcs7 certifies files.
>>>
>>>I have try to create a new certificate with my own CA (with openssl) 
>>>following this steps:
>>>
>>>echo "Self-sign the root CA..."
>>>openssl req -new -x509 -days 3650 -config root-ca.conf -key ca.key -out 
>>>ca.crt
>>># create the certificate
>>>openssl req -new -config user-cert.conf -key mmonge.key -out mmonge.csr
>>>#  sign the certificate
>>>openssl ca -config ca.config -out mmonge.crt -infiles mmonge.csr
>>>
>>>(the .conf file have data about paths and defaults)
>>>
>>>After all this, I have a "mmonge.crt" certfied, I think in x509 format.
>>>    
>>>
>>>How I can import this certificate to my public/private S/Mime key in 
>>>IMP? I have try to convert to pkcs7 format, but I only get one key (I 
>>>don't know if it's private or public key).
>>>    
>>>
>>
>>Take crl2pkcs7.
>>  
>>
>>Further infos on http://www.mkssoftware.com/docs/man1/openssl_crl2pkcs7.1.asp
>>or other hits on google with search for "openssl pkcs7".
>>  
>>
>I have try this:
>
>openssl crl2pkcs7 -nocrl -certfile mmonge.crt -outform PEM -out mmonge.pem
>
>and mmonge.pem is:
>
>-----BEGIN PKCS7-----
>MIICvwYJKoZIhvcNAQcCoIICsDCCAqwCAQExADALBgkqhkiG9w0BBwGgggKUMIIC
>kDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGEwJFUzEPMA0G
>A1UECBMGTWFkcmlkMQ8wDQYDVQQHEwZNYWRyaWQxDjAMBgNVBAoTBVNhdGVjMREw
>DwYDVQQLEwhTaXN0ZW1hczEaMBgGA1UEAxMRU2F0ZWMgU2lzdGVtYXMgQ0EwHhcN
>MDMwMjIwMTcwOTA1WhcNMTMwMjE3MTcwOTA1WjA3MRUwEwYDVQQDEwxNYXJjb3Mg
>TW9uZ2UxHjAcBgkqhkiG9w0BCQEWD21tb25nZUBzYXRlYy5lczCBnzANBgkqhkiG
>9w0BAQEFAAOBjQAwgYkCgYEArLFe2yah3GIYAUaXw7Ne+uZUVeCoUxXCUGc7r1sM
>v+AkFQMKXFJHf3WEKVaAq1XPlURnJtweLEVbE3dRNBV1LU2xJg61SBONStMfuyIV
>EnbLKxEA2sGPqVCQMlhL4RuBqrx88+/itimyDHCG6Fr3vPn71y3VFa7xnxdH64at
>FikCAwEAAaN1MHMwGgYDVR0RBBMwEYEPbW1vbmdlQHNhdGVjLmVzMAwGA1UdEwEB
>/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgQQMB8GA1UdIwQYMBaAFKeah6ukIQNcRNLG
>LAn27pi/xr96MBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GB
>AEJ8cGqZ8sAo9EWRD9e0yU+xlQ9J+t9I8z3Zd74g2JrZY8a53Idz2tji1I8O0KFy
>grmFqpduE/5gyIQVikEEKhybThoFWp/7ezMQwAMXug7XVZSg1/+Re+w1SbokdQy/
>Z3nfAtavk2YXKIz1Iaj8P98NP84rERheJ5TYpDRjGfWMMQA=
>-----END PKCS7-----
>
>
>But... When you go to smime optins in IMP, IMP ask first for my public 
>key, and after for my private key... My question is, this pkcs7 file 
>that I generated, is the public or the private key of my certificate? 
>How can I get the other?
>
>Thanks in advance

No, no. You created a pkcs7 version of your CA's cert file. You are on the wrong path I fear.
You'll have to risk a detailed view to the openssl dokumentation. Maybe
http://sial.org/sendmail/doc/OpenSSL.txt is helpful, especially the section 
CERTIFICATES SIGNED BY OWN CERTIFICATE AUTHORITY.

After generating valid CA cert, a private and a public key in x509 format you can begin to
create an s/mime compatible cert file with something like:
openssl pkcs7 -export -in mycert.pem -inkey mykey.pem -out user.p7 \
           -certfile othercerts.pem -name "Marcos Monge"

Alexander Dalloz

More information about the imp mailing list