JP van Oosten

S/MIME and mutt

Dec 31, 2013

Not everyone I interact with by e-mail has a PGP key, but I'd still like them to be able to verify that an e-mail from my e-mail address is actually sent by me. Since I'm an employee of the university of Groningen, I can use an S/MIME certificate issued by TERENA, through I had to jump through some hoops to get it all working properly in mutt though. Some difficulties might also have to do with my setup (such as using Google Chrome), so your mileage may vary. I was using Ubuntu 13.10, which might have some default settings that differ on your own system.

To prepare mutt, I used the smime_keys utility. By issuing

smime_keys init

a directory structure in ~/.smime was created.

First I wanted to create my own certificate signing request, instead of doing everything in-browser (not really necessary, but I wanted to know what was going on):

cd ~/.smime/keys
openssl genrsa -des3 -out smime.key 4096
openssl req -new -key smime.key -out smime.csr

I then uploaded this csr-file to and waited for my public key to be ready. I downloaded the .pem-file from the website and saved it in the ~/.smime/certificates directory. I read that you could install PKCS#12 files easily using smime_keys, so I tried doing that:

cd ~/.smime/certificates
openssl pkcs12 -export -in usercert.pem -inkey ../keys/smime.key -out smime.p12
smime_keys add_p12 smime.p12

This complained that it was unable to identify the root certificate:

Couldn't identify root certificate!
No root and no intermediate certificates. Can't continue. at /usr/bin/smime_keys line 708.

At first, I thought this was because I didn't use the default method of generating everything in-browser and storing the certificate in the browser's key store (I did not want to trust Google Chrome with that, as it does not have a master password for storing keys). However, later I had the same problem with a Comodo-issued certificate.

I fixed this by using the TERENA_Personal_CA.pem intermediate authority certificate that Frank Brokken sent me (of course, only after verifying his PGP-signature, and trusting him not to send me a fake certificate) and using the add_chain command of smime_keys:

smime_keys add_chain ../keys/smime.key usercert.pem TERENA_Personal_CA.pem

I now was able to correctly sign e-mails from my address.

But, I wasn't done. I also wanted to sign personal e-mails. Comodo offers personal S/MIME certificates for free at Instant SSL.

I filled in the form (using the highest available key size) and received an e-mail that I could collect my free certificate. Instant SSL automatically installed the certificate in Google Chrome's certificate store. I exported this file as a PKCS #12 file (settings, advanced settings, manage certificates, export). Again, I had the "Couldn't identify root certificate!" message. Unfortunately, this time I didn't have the root or intermediate certificate authority.

In the end, I downloaded the intermediate certificate authority COMODOClientAuthenticationandSecureEmailCA from and converted my .p12 to a public and private key:

openssl pkcs12 -in personal.p12 -nocerts -out ../keys/personal.key
openssl pkcs12 -in personal.p12 -clcerts -nokeys -out personal.pem

After that, I could add this personal certificate to mutt as well:

smime_keys add_chain ../keys/personal.key personal.pem COMODOClientAuthenticationandSecureEmailCA.crt

I now have two certificates in smime_keys list and can sign both my university and personal mail for people without PGP.