[openssl-users] 0.9.8 - 1.0.0 DER format breaking change

Dr. Stephen Henson steve at openssl.org
Wed Mar 16 23:03:22 UTC 2016

On Wed, Mar 16, 2016, Krzysztof Modras wrote:

> Hello,
> I'm new to the group, so please excuse me if I'm describing my issue
> incorrectly.
> I've originally posted this github issue:
> https://github.com/openssl/openssl/issues/883
> As it may not exactly be a openssl problem (both old and new behaviour meet
> the specification?), I will try to reformulate the report.
> Is there a way to ensure the order of certificates in output of `openssl
> smime -sign`?
> I know that order from certfile will be maintained, but what about signer
> certificated? Two possible options are to put it before or after CA chain.

As has been mentioned the order shouldn't matter but there is a way to manage
this using the smime utility or the cms utility in some versions of OpenSSL.

If you use the option -nocerts the signing certificate will not be
automatically added to the output. You can then include the signing
certificate in the -certfile option in whatever position you want. This
functionality was added to some versions of OpenSSL to workaround this
problem where some implementations depend on the order.

Whether this works in practice for the smime utility will depend on the
version of OpenSSL: some versions interpret -nocerts to exclude all
certificates so you get none at all in the output. For 1.0.2 and master
you should be fine. 

If you use the cms utility instead of smime it should work in any version of

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list