The openssl cms utility will digitally sign, verify, encrypt and decrypt S/MIME version 3.1 mail and messages.
Checkout our smime article on how to get an email certificate and extract the public and private key for use in these commands.
To purchase an Email certificate, we recommend starting the process at The SSL Store.
openssl cms sign example
To sign a plaintext message, run the following command:
openssl cms -sign -in message.txt -text -out mail.msg -signer misterpki.com.pem
Where -sign means to digitally sign, -in message.txt is the file containing the message to be signed, -text means to add plain text MIME headers, -out mail.msg will be the signed message, and -signer misterpki.com.pem is the file containing both the private key and email certificate.
To add an additional signature to the message, just append an additional -signer cert.pem to the command.
openssl cms verify example
To verify a signed message, run the following command:
openssl cms -verify -CAfile misterpki.com-chain.pem -in mail.msg -signer misterpki.com.crt -out signedtext.txt
Where -verify means to verify the signature, -CAfile misterpki.com-chain.pem is the file containing the chain of the signing certificate, -in mail.msg is the signed message, -signer misterpki.com.crt is the signers certificate containing the public key to be used for verification, and -out signedtext.txt is the file to output the signed message.
If you do not have the ca chain or simply do not care about validating with it, you can add the -noverify flag to the command and remove the -CAfile flag.
openssl cms encrypt example
To encrypt a message with the cms utility, run the following command:
openssl cms -encrypt -in message.txt -aes256 -out encrypted.msc misterpki.com.pem
Where -encrypt means to encrypt the message, -in message.txt is the plain-text message to be encrypted, -aes256 is the encryption algorithm, -out encrypted.msc is the encrypted message, and misterpki.com.pem is the file containing the certificate and private key used for encryption.
openssl cms decrypt example
To decrypt a message with the cms utility, run the following command:
openssl cms -decrypt -in encrypted.msc -recip misterpki.com.pem
Where -decrypt means to decrypt the message, -in encrypted.msc is the file containing the encrypted message, and -recip misterpki.com.pem is the file containing the private key and certificate.
openssl cms vs openssl smime
Both the cms and smime utilities can be used for digitally signing, verifying, encrypted, and decrypting both regular text files and S/MIME messages. The cms utility is used more often with newer versions of S/MIME, and generally supports newer and stronger methods of encryption.
The Cryptographic Message Syntax (CMS) can be researched further by reading RFC-5652.
Common errors with the cms command
unable to load signing key file – You may see this error if you have attempted to decrypt or verify a message with either a corrupt, or incorrectly formatted key.
Error decrypting CMS structure – You may see this error if you have attempted to decrypt an encrypted email message with an incorrect key.
unable to load certificate – You may encounter this error if you have attempted to decrypt a message with a private key and not the public key in the corresponding certificate.
No recipient certificate or key specified – Decryption requires specifying a certificate and/or key file for decryption. If not specified with either -inkey or -recip, you will encounter this error.
This post covered the basics of using the openssl cms command. If you would like to see more examples not covered here for encrypting and singing email or messages with openssl, let us know in the comments!