intermedia CA and smime cert

Ronny Wagner r.wagner at
Thu Sep 7 13:10:17 UTC 2023

hello all,

i need your help in setting up an intermedia ca that is allowed to issue smime certificates.

in my previous attempts, the smime certificate could not authenticate with the intermedia ca.

openssl.cnf - RootCA
[ v3_user_intermediate_ca ]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer
basicConstraints                = critical, CA:true, pathlen:0
keyUsage                        = critical, digitalSignature, keyCertSign, cRLSign

openssl.cnf - UserCA
[ smime ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
subjectAltName = email:copy

I use the following command to create the smime certificate:
$ openssl x509 -req -days 365 -in usermail.csr -CA cacert.pem -CAkey private/UserCA.key.pem -CAserial serial -out usermail_finish.pem -setalias " User E-Mail Certificate" -extfile UserCA/openssl.cnf -extensions smime

Would you have a tip on where I can start here?

Thank your very much.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7480 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list