Issue with encrypting emails using openssl

Hi
I am trying to create a certificate authority.  I am trying secure emails from my clients to my server.  The client certificates import fine.  Trying to send a signed email work fine but encrypting the email does not.  It states that the intended recipient has missing or invalid certificates, or conflicting or unsupported encryption capabilities.  I am using openssl version 0.9.8g, using Microsoft Outlook as the email client. Any help will much be appreciated.


Thanks,
Viresh Singh
Developer
 


Any unauthorized use or interception of this e-mail is illegal.  If this e-mail is not intended for you, you may not copy, distribute or disclose the contents to anyone.  Save for bona fide company matters, Next Generation Network Telecommunications (Pty) Ltd do not accept any responsibility for the opinions expressed in this e-mail. No binding contract will result from this e-mail until such time as a written agreement is signed by the parties and subject to the approval of the board of directors of Next Generation Network Telecommunications (Pty) Ltd. Any concepts and ideas in this e-mail have been developed by Next Generation Network Telecommunications (Pty) Ltd and is property to Next Generation Network Telecommunications (Pty) Ltd. Such information is to be kept confidential and cannot be divulged. Any unauthorized disclosure may cause Next Generation Network Telecommunications (Pty) Ltd substantial losses. Any disclosure, re-transmission, dissemination or any other use of this information is strictly prohibited.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

On May 14, 2008 08:05:30 am Viresh Singh wrote: First of all, when doing S/MIME, you need to have two certificates - one for
signing, and one for encryption. This is because you will probably want to
escrow the encryption key (you want to make backups of the key and/or have
your employer be able to read your email if they have to fulfill a SOX or
other governance request, right?), but not the signature key (since no-one
should ever be able to impersonate you).

Next, you need to have the right keyUsage and subjectAltName values set for
those two different types of certificate.

For Signing, the following should work:

KU: digitalSignature

For Encryption, the following should work:

KU:  keyEncipherment, dataEncipherment

If you wish, you can also add in the SMIME specific EKU to both of these:

EKU: emailProtection

And, lastly, you also need to make sure that the email address appears in the
SubjectAltName as an attribute of type email

For an example of how to set up a CA to do all of this, take a look at:

http://www.carillon.ca/library/howtos.php 
-> How to Set Up an OpenSSL TEST CA for Interoperability Testing with
CertiPath

This has a quite a full description of how to set up the various profiles that
are required for Identity, Signature and Encryption.

Have fun.

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...