[imp] Certificate chain for S/Mime

[Crispin Olson]

Firstly, apologies for the long delay - I've been away a while.

Quoting  Jan Schneider jan at horde.org:
>> Folks,
>> Having a problem with S/Mime signing using IMP. I have a certificate
in
>> Outlook that I successfully converted to a PEM file using openssl
(btw
>> having something that could do this from the S/MIME certificate
upload
>> page would be really helpful - most of our users have their certs in
>> Outlook).
>> I successfully uploaded the certificate (another suggestion again -
if I
>> upload using a PEM file that has both public and private key, I
>> shouldn't need to do it twice - with the same file again for private
>> key) - and managed to sign an outgoing mail. In Outlook the signature
>> verified fine, but in IMP I get the message "Message Verified
>> Successfully but the signer's certificate could not be verified.". I
>> then cut and pasted the whole certificate chain out of the PEM file
and
>> used that in the upload public key page - same result. Any
suggestions?

>Make sure that at least one of the CAs in the chain is available in the
>configured certs directory.

One thing I didn't mention - if you use Outlook to send a message using
the same certificate it verifies OK in IMP. In other words Outlook
successfully attaches the necessary part of the chain (its a Thawte
Freemail cert, 2 levels down from Thawtes root cert in my Apache/OpenSSL
install), and Imp verifies OK.

Whilst the suggestion works (because I end up putting the whole chain
into my CA certs) - it would be nice if Imp could successfully use the
"additional certificates" when composing/sending the message. I know the
flag is in OpenSSL (and certainly in the PHP openssl funcs, not used by
IMP because they are so flaky I think) - it just isn't being used.

Also, any comment on the ability to import either a single PEM file, or
import the P12 file exported by Outlook/Express directly by doing the
PKCS12 conversion at the server?

>Jan.