The openssl cms utility will digitally sign, verify, encrypt and decrypt S/MIME version 3.1 mail and messages.
Checkout our smime article on how to get an email certificate and extract the public and private key for use in these commands.
openssl cms sign example
To sign a plaintext message, run the following command:
openssl cms -sign -in message.txt -text -out mail.msg -signer misterpki.com.pem
-sign means to digitally sign,
-in message.txt is the file containing the message to be signed,
-text means to add plain text MIME headers,
-out mail.msg will be the signed message, and
-signer misterpki.com.pem is the file containing both the private key and email certificate.
To add an additional signature to the message, just append an additional
-signer cert.pem to the command.
openssl cms verify example
To verify a signed message, run the following command:
openssl cms -verify -CAfile misterpki.com-chain.pem -in mail.msg -signer misterpki.com.crt -out signedtext.txt
-verify means to verify the signature,
-CAfile misterpki.com-chain.pem is the file containing the chain of the signing certificate,
-in mail.msg is the signed message,
-signer misterpki.com.crt is the signers certificate containing the public key to be used for verification, and
-out signedtext.txt is the file to output the signed message.
If you do not have the ca chain or simply do not care about validating with it, you can add the
-noverify flag to the command and remove the
openssl cms encrypt example
To encrypt a message with the cms utility, run the following command:
openssl cms -encrypt -in message.txt -aes256 -out encrypted.msc misterpki.com.pem
-encrypt means to encrypt the message,
-in message.txt is the plain-text message to be encrypted,
-aes256 is the encryption algorithm,
-out encrypted.msc is the encrypted message, and
misterpki.com.pem is the file containing the certificate and private key used for encryption.
openssl cms decrypt example
To decrypt a message with the cms utility, run the following command:
openssl cms -decrypt -in encrypted.msc -recip misterpki.com.pem
-decrypt means to decrypt the message,
-in encrypted.msc is the file containing the encrypted message, and
-recip misterpki.com.pem is the file containing the private key and certificate.
openssl cms vs openssl smime
Both the cms and smime utilities can be used for digitally signing, verifying, encrypted, and decrypting both regular text files and S/MIME messages. The cms utility is used more often with newer versions of S/MIME, and generally supports newer and stronger methods of encryption.
The Cryptographic Message Syntax (CMS) can be researched further by reading RFC-5652.