• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

  • Buy SSL Certificates
  • Blog
  • Java Keytool
  • OpenSSL
  • Certificate Decoder
  • Donate

openssl smime

March 17, 2020 by Mister PKI Leave a Comment

The openssl smime utility is useful for signing and encrypting S/MIME messages. S/MIME messages can be signed by multiple signers, be encrypted, decrypted, and verified.

You can purchase an S/MIME email (user) certificate from almost any public CA (Certification Authority). For this exercise, we are using an email certificate issued and signed by Actalis, one of the only free email certificates available today.

If using the downloaded PKCS12 (.pfx) from Actalis, the openssl smime commands require the .pfx to be converted to .pem. Follow these steps to convert:

To extract the private key alone:

openssl pkcs12 -in example.pfx -nocerts -out example.key -nodes

To extract the certificate alone:

openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt

To convert the entire .pfx to .pem:

openssl pkcs12 -in example.pfx -out example.pem -nodes

openssl smime encrypt

To encrypt an S/MIME message with openssl, use the following command:

openssl smime -encrypt -in message.txt -aes256 -out mail.msg misterpki.pem

Where -encrypt means encrypt, -in message.txt is the plain text message to be encrypted, -aes256 is the encryption algorithm, -out mail.msg will hold the encrypted message, and misterpki.pem is the pem encoded certificate and private key file.

openssl smime decrypt

To decrypt an S/MIME message with openssl, use the following command:

openssl smime -decrypt -in mail.msg -recip misterpki.pem -inkey misterpki.key

Where -decrypt means decrypt, -in mail.msg is the encrypted message, -recip misterpki.pem is the certificate having the public key used to encrypt with, and -inkey misterpki.key is the private key being used to decrypt the message.

openssl smime sign

To sign an S/MIME message with openssl, use the following command:

openssl smime -sign -in message.txt -text -out mail.msg -signer misterpki.pem

Where -sign means to digitally sign the message, -in message.txt is the message to be signed, -text adds plain text MIME headers to the signed message, -out mail.msg is the signed message, and -signer misterpki.pem is the pem encoded certificate and private key file.

openssl smime verify

To verify an S/MIME signed message with openssl, use the following command:

openssl smime -verify -in mail.msg -CAfile misterpki-chain.pem -signer user.pem -out signedtext.txt

Where -verify means verify the digital signature, -in mail.msg is the signed message, -CAfile misterpki-chain.pem is the chain and is required if not a self-signed certificate, -signer user.pem will create the user.pem file to store the signer’s certificate, and -out signedtext.txt will store the signed text.

Read the official openssl docs for more detailed information.

Read more of our content.

Uncategorized

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • keytool delete alias – How to delete an alias from a keystore
  • keytool alias -changealias – How to change a private key alias
  • SSL Certificate Expiration and SSL Certificate Renewal
  • What are SSL certificates?
  • Java SecureRandom
SSL/TLS Certificate Small Square (200 x 200)

Footer

  • Twitter
  • YouTube

Copyright © 2021 ยท Designed by North Flow Tech