Mac OS X Mail signing messages with S/MIME certificate from startssl
I've got myself an S/MIME certificate from StartSSL, which I have exported from the browser, imported into my keychain and as expected Mail.app is now signing my outgoing messages.
However some clients seem to have problems trusting this certificate. I've tracked the problem down to the fact that the attached smime.p7s is not complete.
A valid smime.p7s for a certificate from startssl has two certificates in it - the complete certificate chain up to the root. Example:
$ cat valid.eml | openssl smime -pk7out | openssl pkcs7 -print_certs
subject=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/description=aBcDeFg1234/[email protected]/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
However the smime.p7s that Mail.app attaches to my emails only has the second certificate, the one bound to my own account and misses the other one, which happens to be necessary for many clients in order to verify the signature.
Any ideas how I can fix this?
Solution 1:
You need to add this http://www.startssl.com/certs/sub.class2.client.ca.crt certificate to your OS X keychain. After that your messages will contains both of certificates.
Solution 2:
The problem is that StartCom's PKCS12 certificates are bad. They should be providing a current intermediate CA that is valid, but instead their intermediate CA expired in 2012 and they are telling you to download a different intermediate from their website. StartCom should update their systems.