6

I created a certificate with OpenSSL and following commands:

openssl req   -x509 -nodes -days 365   -subj '/C=DE/ST=state/L=city/CN=hostname'   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

openssl pkcs12 -export   -out mycert.pfx -in mycert.pem   -name "My Certificate"

And installed it with my Windows 7 machine. Then I tried to send an encrypted email and I got a message that there is no certificate matching my email address

What am I missing?

Edit 1

Thank you for those insights, Thomas. I added the email address but the message still pops up :-( I also read about a root certificate, do I need such thing?

Sven
  • 161
  • 1
  • 5
  • I assume CN is sven@security.stackexchange.com rather than security.stackexchange.com? – logicalscope Feb 09 '12 at 14:35
  • CN is actually my username, while emailAddress is the email address. That's my setting but it doesn't work. – Sven Feb 09 '12 at 15:55
  • You should have put your edit as a comment to Thomas' answer instead, that way he would have been notified about it... You don't need a root certificate (it's useful if you want to create multiple certificates but require others to only verify&trust a single one). For email address you'll probably need the `subjectAltName` entry as well, [here](http://unix.stackexchange.com/q/63209/8639)'s how I solved that for multiple email addresses in one certificate. I don't know how to add the `email:copy` entry via the command line though – Tobias Kienzler Feb 06 '13 at 07:27

2 Answers2

5

A certificate binds a public key to an identity. The notion of identity that S/MIME uses is email addresses. Namely, for your certificate to be usable with S/MIME, it should contain your email address.

The email address can be added in the subject name (simple but officially deprecated), like this:

openssl req -x509 -nodes -days 365 -subj '/C=DE/ST=state/L=city/CN=Sven/emailAddress=sven@svenisgreat.com' -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

or (the "normal solution", but more complex) as part of a "Subject Alt Name" extension (with OpenSSL, this requires using the -extensions flag and a configuration file; see the documentation).

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Sven forgot to comment on your answer and edited his question instead - I think the `subjectAltName` is mandatory even for certificates with only one email address – Tobias Kienzler Feb 06 '13 at 07:29
3

Do not use emailAddress, but subjectAltName instead. You can do this with a single command and without editing the openssl.cnf file:

openssl req -x509 \
    -newkey rsa:4096 \
    -sha256 \
    -nodes \
    -days 3650 \
    -keyout smime.key \
    -out smime.crt \
    -subj "/CN=Nobody" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo 'subjectAltName=email:nobody@example.com')

For more information, see: Provide subjectAltName to openssl directly on command line

vog
  • 391
  • 3
  • 6