S/MIME and intermediate CA

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Andreas.Steinel
Posts: 3
Joined: Thu May 03, 2018 11:22 am

S/MIME and intermediate CA

Post by Andreas.Steinel »

Hi everybody,

I imported S/MIME test certificates from Centrum and I had to import the intermediate CA manually via

Code: Select all

zmcertmgr addcacert /tmp/im.pem
to be able to import their p12 certificate. After that it worked as long as the receiving end also has the intermedia CA present on their side to be able to validate the certificate path.

I then tried to repack the p12 with the intermedia CA as follows:

Code: Select all

$ openssl pkcs12 -in centrum.p12 -out test.pem -nodes
$ # manually split the resulting test.pem in test.crt and test.key
$ cat test.crt intermediate.pem > cert.crt
$ openssl pkcs12 -export -in cert.crt -inkey test.key -out test.p12
Inspecting the resulting test.p12 yields, that both the intermediate CA and the "leaf" certificate is present. Deleting the old P12 in Zimbra and reimporting this new P12 works, yet sending another test mail with an attached signature only includes the "leaf" certificate without the intermediate CA, so it still does not work with manually installing the intermedia CA. The new mail has also the same size as the mail without the intermediate CA, so it is not sent.
  • How can I enforce to add the intermediate CA to outgoing mails?
  • How can I remove the intermediate CA once added with addcacert? There is no removecacert and I want to test if it works if the P12 already includes the intermediate CA
Best,
Andreas
Post Reply