Can't S/MIME sign using OpenSSL even if "verify" suceeds

Question

I have a client certificate in Chrome, that I used for logging into StartSSL. I exported it using pk12util to certfile.p12. Now I want to use it for signing with S/MIME.

I converted the p12 file to pem.

First, I verify that the certificate will work for this purpose:

$ openssl verify -purpose smimesign -verbose -CAfile ca-bundle.crt certfile.pem
certfile.pem: OK

Now I try and sign:

$ echo "lol" | openssl smime -sign -CAfile ca-bundle.crt -signer certfile.pem
unable to load signing key file
3074062600:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

If I use the original p12file, it doesn't work either, but with another error message:

$ openssl verify -purpose smimesign -verbose -CAfile ca-bundle.crt certfile.p12
unable to load certificate
3074066696:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

What should I do so that I can sign messages with free StartSSL certificates?

score 3 · Accepted Answer · answered Feb 26 '14 at 18:42

3

I forgot the -nodes flag when making the pem. This includes the private key.

openssl pkcs12 -in certfile.p12 -nodes -out certfile2.pem

This pemcan be used for signing.

answered Feb 26 '14 at 18:42

Janus Troelsen

2,355

Can't S/MIME sign using OpenSSL even if "verify" suceeds

1 Answers1