On Wed, Mar 16, 2016, Krzysztof Modras wrote: > Hello, > > I'm new to the group, so please excuse me if I'm describing my issue > incorrectly. > > I've originally posted this github issue: > https://github.com/openssl/openssl/issues/883 > > As it may not exactly be a openssl problem (both old and new behaviour meet > the specification?), I will try to reformulate the report. > > Is there a way to ensure the order of certificates in output of `openssl > smime -sign`? > > I know that order from certfile will be maintained, but what about signer > certificated? Two possible options are to put it before or after CA chain. > As has been mentioned the order shouldn't matter but there is a way to manage this using the smime utility or the cms utility in some versions of OpenSSL. If you use the option -nocerts the signing certificate will not be automatically added to the output. You can then include the signing certificate in the -certfile option in whatever position you want. This functionality was added to some versions of OpenSSL to workaround this problem where some implementations depend on the order. Whether this works in practice for the smime utility will depend on the version of OpenSSL: some versions interpret -nocerts to exclude all certificates so you get none at all in the output. For 1.0.2 and master you should be fine. If you use the cms utility instead of smime it should work in any version of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
