1

I have a client certificate in Chrome, that I used for logging into StartSSL. I exported it using pk12util to certfile.p12. Now I want to use it for signing with S/MIME.

I converted the p12 file to pem.

First, I verify that the certificate will work for this purpose:

$ openssl verify -purpose smimesign -verbose -CAfile ca-bundle.crt certfile.pem
certfile.pem: OK

Now I try and sign:

$ echo "lol" | openssl smime -sign -CAfile ca-bundle.crt -signer certfile.pem
unable to load signing key file
3074062600:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

If I use the original p12file, it doesn't work either, but with another error message:

$ openssl verify -purpose smimesign -verbose -CAfile ca-bundle.crt certfile.p12
unable to load certificate
3074066696:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

What should I do so that I can sign messages with free StartSSL certificates?

Janus Troelsen
  • 2,238
  • 2
  • 22
  • 33
  • `cat` the file `certfile.pem`. It should have `-----BEGIN CERTIFICATE-----` and friends. Also, the `openssl smime -sign` *might* not need `-CAfile ca-bundle.crt` since you are *not* verifying a signature. – jww Apr 01 '14 at 00:09

1 Answers1

3

I forgot the -nodes flag when making the pem. This includes the private key.

openssl pkcs12 -in certfile.p12 -nodes -out certfile2.pem

This pemcan be used for signing.

Janus Troelsen
  • 2,238
  • 2
  • 22
  • 33
  • You should probably mark your own answer as accepted so others know this was the fix. – jww Apr 01 '14 at 00:10