Signing a MIME Message
To digitally sign a MIME message you must have a keystore that contains the signer’s private key and an associated certificate chain. If you know that the recipient trusts an intermediate CA in your chain, the keystore can contain a partial chain that extends back to that CA. However, if you are not sure which CA the recipient trusts, the keystore should contain a complete chain.
Note: You are not required to have the signer’s certificate chain to sign a message; however, if you omit the chain, the recipient must produce the certificate chain when it receives the message. If you do not supply the signer’s certificate chain, and the recipient does not have a local copy of it, the signature verification process will fail. By including the certificate chain with a signature, you ensure that the recipient will be able to process the signature.