• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

  • Buy SSL Certificates
  • Blog
  • Java Keytool
  • OpenSSL
  • Certificate Decoder
  • Donate

openssl cms

April 14, 2020 by Mister PKI Leave a Comment

The openssl cms utility will digitally sign, verify, encrypt and decrypt S/MIME version 3.1 mail and messages.

Checkout our smime article on how to get an email certificate and extract the public and private key for use in these commands.

openssl cms sign example

To sign a plaintext message, run the following command:

openssl cms -sign -in message.txt -text -out mail.msg -signer misterpki.com.pem

Where -sign means to digitally sign, -in message.txt is the file containing the message to be signed, -text means to add plain text MIME headers, -out mail.msg will be the signed message, and -signer misterpki.com.pem is the file containing both the private key and email certificate.

To add an additional signature to the message, just append an additional -signer cert.pem to the command.

openssl cms verify example

To verify a signed message, run the following command:

openssl cms -verify -CAfile misterpki.com-chain.pem -in mail.msg -signer misterpki.com.crt -out signedtext.txt

Where -verify means to verify the signature, -CAfile misterpki.com-chain.pem is the file containing the chain of the signing certificate, -in mail.msg is the signed message, -signer misterpki.com.crt is the signers certificate containing the public key to be used for verification, and -out signedtext.txt is the file to output the signed message.

If you do not have the ca chain or simply do not care about validating with it, you can add the -noverify flag to the command and remove the -CAfile flag.

openssl cms encrypt example

To encrypt a message with the cms utility, run the following command:

openssl cms -encrypt -in message.txt -aes256 -out encrypted.msc misterpki.com.pem

Where -encrypt means to encrypt the message, -in message.txt is the plain-text message to be encrypted, -aes256 is the encryption algorithm, -out encrypted.msc is the encrypted message, and misterpki.com.pem is the file containing the certificate and private key used for encryption.

openssl cms decrypt example

To decrypt a message with the cms utility, run the following command:

openssl cms -decrypt -in encrypted.msc -recip misterpki.com.pem

Where -decrypt means to decrypt the message, -in encrypted.msc is the file containing the encrypted message, and -recip misterpki.com.pem is the file containing the private key and certificate.

openssl cms vs openssl smime

Both the cms and smime utilities can be used for digitally signing, verifying, encrypted, and decrypting both regular text files and S/MIME messages. The cms utility is used more often with newer versions of S/MIME, and generally supports newer and stronger methods of encryption.

The Cryptographic Message Syntax (CMS) can be researched further by reading RFC-5652.

Read more of our content.

Uncategorized

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • keytool delete alias – How to delete an alias from a keystore
  • keytool alias -changealias – How to change a private key alias
  • SSL Certificate Expiration and SSL Certificate Renewal
  • What are SSL certificates?
  • Java SecureRandom
SSL/TLS Certificate Small Square (200 x 200)

Footer

  • Twitter
  • YouTube

Copyright © 2021 ยท Designed by North Flow Tech