If you try to verify the signature of a p7m file without the Certification Authority (la CA), the verification fails ("unable to load certificate") because we do not have CA trust certificates (so-called Trusts).
These Certificate Authorities have been defined by Italian law and are registered on the CNIPA, which since December 2009 has become DigitPA, as a certificate of XML certificates and found them on the same site at https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_signed.xml.
To have openssl manage them you have to put them in its format so:
wget -O - https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_signed.xml | perl -ne 'if (/<X509Certificate>/) {
s/^\s+//; s/\s+$//;
s/<\/*X509Certificate>//g;
print "-----BEGIN CERTIFICATE-----\n";
while (length($_)>64) {
print substr($_,0,64)."\n";
$_=substr($_,64);
}
print $_."\n";
print "-----END CERTIFICATE-----\n";
}' >CA.pem
This way we have all the certificates in a single CA.pem file, unfortunately even those that may have expired. Even if it's over, we may need to check out an old file so we can also serve the expiration.
For more information, see the article
For script updates, please visit https://github.com/eniocarboni/getTrustCAP7m