The openssl smime utility is useful for signing and encrypting S/MIME messages. S/MIME messages can be signed by multiple signers, be encrypted, decrypted, and verified.
You can purchase an S/MIME email (user) certificate from almost any public CA (Certification Authority). For this exercise, we are using an email certificate issued and signed by Actalis, one of the only free email certificates available today.
If using the downloaded PKCS12 (.pfx) from Actalis, the openssl smime commands require the .pfx to be converted to .pem. Follow these steps to convert:
To extract the private key alone:
openssl pkcs12 -in example.pfx -nocerts -out example.key -nodes
To extract the certificate alone:
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt
To convert the entire .pfx to .pem:
openssl pkcs12 -in example.pfx -out example.pem -nodes
openssl smime encrypt
To encrypt an S/MIME message with openssl, use the following command:
openssl smime -encrypt -in message.txt -aes256 -out mail.msg misterpki.pem
-encrypt means encrypt,
-in message.txt is the plain text message to be encrypted,
-aes256 is the encryption algorithm,
-out mail.msg will hold the encrypted message, and
misterpki.pem is the pem encoded certificate and private key file.
openssl smime decrypt
To decrypt an S/MIME message with openssl, use the following command:
openssl smime -decrypt -in mail.msg -recip misterpki.pem -inkey misterpki.key
-decrypt means decrypt,
-in mail.msg is the encrypted message,
-recip misterpki.pem is the certificate having the public key used to encrypt with, and
-inkey misterpki.key is the private key being used to decrypt the message.
openssl smime sign
To sign an S/MIME message with openssl, use the following command:
openssl smime -sign -in message.txt -text -out mail.msg -signer misterpki.pem
-sign means to digitally sign the message,
-in message.txt is the message to be signed,
-text adds plain text MIME headers to the signed message,
-out mail.msg is the signed message, and
-signer misterpki.pem is the pem encoded certificate and private key file.
openssl smime verify
To verify an S/MIME signed message with openssl, use the following command:
openssl smime -verify -in mail.msg -CAfile misterpki-chain.pem -signer user.pem -out signedtext.txt
-verify means verify the digital signature,
-in mail.msg is the signed message,
-CAfile misterpki-chain.pem is the chain and is required if not a self-signed certificate, -signer user.pem will create the user.pem file to store the signer’s certificate, and
-out signedtext.txt will store the signed text.
Read the official openssl docs for more detailed information.