Hi, many CAs use a dedicated root CA for S/MIME, not only HARICA. To properly verify any S/MIME signatur you should install a bundle of all S/MIME CA certs. Curl provides a script that can prepare such a CA bundle based on Mozilla sources: https://curl.se/docs/mk-ca-bundle.html. We use it with the following parameters to get all S/MIME root CAs:
mk-ca-bundle.pl -d nss -p EMAIL_PROTECTION:TRUSTED_DELEGATOR ca-bundle-mail.crt Then install the certs as described by Christian. Best regards, Frank Am Dienstag, 28. Oktober 2025 15:57 CET, schrieb "Christian Mack" ([email protected]) <[email protected]>: > Hello > > The way is correct, but HARICA has a seperate certificate chain for > S/MIME certificates. > Therefore you need not the ones from your firefox browser. > > You can download the chain from HARICA itself. > I added them as attachments, but don't know if they go through this list. > Then seperate them into single intermediate certificates, and place them > into /usr/local/share/ca-certificates. > Now you can run update-ca-certificates and are done. > > > Kind regards, > Christian Mack > > Am 28.10.25 um 13:56 schrieb Andreas Bauer > ([email protected]): > > Dear all, > > > > Our university, like most in Germany, has (not so) recently changed > > their certificate issuer from GEANT to Harica. I see that there are > > all sorts of Harica root and intermediate certificates included in my > > browser's certificate store (firefox). > > > > However, when I receive a mail signed with a Harica-issued > > SMIME-certificate, SOGo says that the verification of said email > > signature failed. I'm guessing this is because Harica's root and > > intermediate certificates are not installed. However, I fail to see > > how I can add these to SOGo. > > > > I have tried copying them to /usr/loca/share/ca-certificates and then > > run update-certificates, but to no avail. I'm also guessing I've > > missed some obvious documentation or am making a stupid mistake, but > > I'm really thumped to be honest. > > > > Any insights to this are much appreciated. > > > > Thanks, > > > > Andreas. > > -- > Christian Mack > Universität Konstanz > Kommunikations-, Informations-, Medienzentrum (KIM) > Abteilung IT-Dienste Forschung, Lehre, Infrastruktur > 78457 Konstanz > +49 7531 88-4416 >
