• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl smime

March 17, 2020 by Mister PKI Leave a Comment

The openssl smime utility is useful for signing and encrypting S/MIME messages. S/MIME messages can be signed by multiple signers, be encrypted, decrypted, and verified.

You can purchase an S/MIME email (user) certificate from almost any public CA (Certification Authority). For this exercise, we are using an email certificate issued and signed by Actalis, one of the only free email certificates available today.

If using the downloaded PKCS12 (.pfx) from Actalis, the openssl smime commands require the .pfx to be converted to .pem. Follow these steps to convert:

To extract the private key alone:

openssl pkcs12 -in example.pfx -nocerts -out example.key -nodes

To extract the certificate alone:

openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt

To convert the entire .pfx to .pem:

openssl pkcs12 -in example.pfx -out example.pem -nodes

openssl smime encrypt

To encrypt an S/MIME message with openssl, use the following command:

openssl smime -encrypt -in message.txt -aes256 -out mail.msg misterpki.pem

Where -encrypt means encrypt, -in message.txt is the plain text message to be encrypted, -aes256 is the encryption algorithm, -out mail.msg will hold the encrypted message, and misterpki.pem is the pem encoded certificate and private key file.

openssl smime decrypt

To decrypt an S/MIME message with openssl, use the following command:

openssl smime -decrypt -in mail.msg -recip misterpki.pem -inkey misterpki.key

Where -decrypt means decrypt, -in mail.msg is the encrypted message, -recip misterpki.pem is the certificate having the public key used to encrypt with, and -inkey misterpki.key is the private key being used to decrypt the message.

openssl smime sign

To sign an S/MIME message with openssl, use the following command:

openssl smime -sign -in message.txt -text -out mail.msg -signer misterpki.pem

Where -sign means to digitally sign the message, -in message.txt is the message to be signed, -text adds plain text MIME headers to the signed message, -out mail.msg is the signed message, and -signer misterpki.pem is the pem encoded certificate and private key file.

openssl smime verify

To verify an S/MIME signed message with openssl, use the following command:

openssl smime -verify -in mail.msg -CAfile misterpki-chain.pem -signer user.pem -out signedtext.txt

Where -verify means verify the digital signature, -in mail.msg is the signed message, -CAfile misterpki-chain.pem is the chain and is required if not a self-signed certificate, -signer user.pem will create the user.pem file to store the signer’s certificate, and -out signedtext.txt will store the signed text.

Read the official openssl docs for more detailed information.

Read more of our content.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022