I've got myself an S/MIME certificate from StartSSL, which I have exported from the browser, imported into my keychain and as expected Mail.app is now signing my outgoing messages.
However some clients seem to have problems trusting this certificate. I've tracked the problem down to the fact that the attached smime.p7s is not complete.
A valid smime.p7s for a certificate from startssl has two certificates in it – the complete certificate chain up to the root. Example:
$ cat valid.eml | openssl smime -pk7out | openssl pkcs7 -print_certs
subject=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/description=aBcDeFg1234/CN=example@domain.com/emailAddress=example@domain.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
However the smime.p7s that Mail.app attaches to my emails only has the second certificate, the one bound to my own account and misses the other one, which happens to be necessary for many clients in order to verify the signature.
Any ideas how I can fix this?
Best Answer
You need to add this http://www.startssl.com/certs/sub.class2.client.ca.crt certificate to your OS X keychain. After that your messages will contains both of certificates.