The openssl cms utility will digitally sign, verify, encrypt and decrypt S/MIME version 3.1 mail and messages.
Checkout our smime article on how to get an email certificate and extract the public and private key for use in these commands.
openssl cms sign example
To sign a plaintext message, run the following command:
openssl cms -sign -in message.txt -text -out mail.msg -signer misterpki.com.pem
Where -sign
means to digitally sign, -in message.txt
is the file containing the message to be signed, -text
means to add plain text MIME headers, -out mail.msg
will be the signed message, and -signer misterpki.com.pem
is the file containing both the private key and email certificate.
To add an additional signature to the message, just append an additional -signer cert.pem
to the command.
openssl cms verify example
To verify a signed message, run the following command:
openssl cms -verify -CAfile misterpki.com-chain.pem -in mail.msg -signer misterpki.com.crt -out signedtext.txt
Where -verify
means to verify the signature, -CAfile misterpki.com-chain.pem
is the file containing the chain of the signing certificate, -in mail.msg
is the signed message, -signer misterpki.com.crt
is the signers certificate containing the public key to be used for verification, and -out signedtext.txt
is the file to output the signed message.
If you do not have the ca chain or simply do not care about validating with it, you can add the -noverify
flag to the command and remove the -CAfile
flag.
openssl cms encrypt example
To encrypt a message with the cms utility, run the following command:
openssl cms -encrypt -in message.txt -aes256 -out encrypted.msc misterpki.com.pem
Where -encrypt
means to encrypt the message, -in message.txt
is the plain-text message to be encrypted, -aes256
is the encryption algorithm, -out encrypted.msc
is the encrypted message, and misterpki.com.pem
is the file containing the certificate and private key used for encryption.
openssl cms decrypt example
To decrypt a message with the cms utility, run the following command:
openssl cms -decrypt -in encrypted.msc -recip misterpki.com.pem
Where -decrypt
means to decrypt the message, -in encrypted.msc
is the file containing the encrypted message, and -recip misterpki.com.pem
is the file containing the private key and certificate.
openssl cms vs openssl smime
Both the cms and smime utilities can be used for digitally signing, verifying, encrypted, and decrypting both regular text files and S/MIME messages. The cms utility is used more often with newer versions of S/MIME, and generally supports newer and stronger methods of encryption.
The Cryptographic Message Syntax (CMS) can be researched further by reading RFC-5652.
Leave a Reply