• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl cms – Sign and encrypt or decrypt email messages

April 21, 2021 by Mister PKI Leave a Comment

The openssl cms utility will digitally sign, verify, encrypt and decrypt S/MIME version 3.1 mail and messages.

Checkout our smime article on how to get an email certificate and extract the public and private key for use in these commands.

To purchase an Email certificate, we recommend starting the process at The SSL Store.

openssl cms sign example

To sign a plaintext message, run the following command:

openssl cms -sign -in message.txt -text -out mail.msg -signer misterpki.com.pem

Where -sign means to digitally sign, -in message.txt is the file containing the message to be signed, -text means to add plain text MIME headers, -out mail.msg will be the signed message, and -signer misterpki.com.pem is the file containing both the private key and email certificate.

To add an additional signature to the message, just append an additional -signer cert.pem to the command.

openssl cms verify example

To verify a signed message, run the following command:

openssl cms -verify -CAfile misterpki.com-chain.pem -in mail.msg -signer misterpki.com.crt -out signedtext.txt

Where -verify means to verify the signature, -CAfile misterpki.com-chain.pem is the file containing the chain of the signing certificate, -in mail.msg is the signed message, -signer misterpki.com.crt is the signers certificate containing the public key to be used for verification, and -out signedtext.txt is the file to output the signed message.

If you do not have the ca chain or simply do not care about validating with it, you can add the -noverify flag to the command and remove the -CAfile flag.

openssl cms encrypt example

To encrypt a message with the cms utility, run the following command:

openssl cms -encrypt -in message.txt -aes256 -out encrypted.msc misterpki.com.pem

Where -encrypt means to encrypt the message, -in message.txt is the plain-text message to be encrypted, -aes256 is the encryption algorithm, -out encrypted.msc is the encrypted message, and misterpki.com.pem is the file containing the certificate and private key used for encryption.

openssl cms decrypt example

To decrypt a message with the cms utility, run the following command:

openssl cms -decrypt -in encrypted.msc -recip misterpki.com.pem

Where -decrypt means to decrypt the message, -in encrypted.msc is the file containing the encrypted message, and -recip misterpki.com.pem is the file containing the private key and certificate.

openssl cms vs openssl smime

Both the cms and smime utilities can be used for digitally signing, verifying, encrypted, and decrypting both regular text files and S/MIME messages. The cms utility is used more often with newer versions of S/MIME, and generally supports newer and stronger methods of encryption.

The Cryptographic Message Syntax (CMS) can be researched further by reading RFC-5652.

Common errors with the cms command

unable to load signing key file – You may see this error if you have attempted to decrypt or verify a message with either a corrupt, or incorrectly formatted key.

Error decrypting CMS structure – You may see this error if you have attempted to decrypt an encrypted email message with an incorrect key.

unable to load certificate – You may encounter this error if you have attempted to decrypt a message with a private key and not the public key in the corresponding certificate.

No recipient certificate or key specified – Decryption requires specifying a certificate and/or key file for decryption. If not specified with either -inkey or -recip, you will encounter this error.

Conclusion

This post covered the basics of using the openssl cms command. If you would like to see more examples not covered here for encrypting and singing email or messages with openssl, let us know in the comments!

Read more of our content.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022