S/MIME - importing .p12 - missing intermediate and root CA - save locations

i tested importing a .p12 file in emclient/settings which included personal cert+key as well as chain certs for intermediate and root CA.

i am confused

  • in emclient only the personal key+cert seem to be imported (but not into the windows user cert store)
  • the chain certs for intermediate and root CA seem to be ignored / not imported - inspecting the user cert from within emclient does not show a valid key chain
  • looking at windows cert stores, the chain cert were not imported anywhere - neither the user cert
  • once you manually add chain certs to winows, emclient can validate the user cert

… so, emclient saves user cert/key privately (like thunderbird), but DOES access windows cert store to access certs to validate the key chain?! … but does NOT import chain certs privately into emclient either? isn’t that a bit inconsistent?

so the current needed workaround is:

  • install chain certs manually into windows cert stores
  • install p12 into emclient to get the user cert/key