The openssl smime utility is useful for signing and encrypting S/MIME messages. S/MIME messages can be signed by multiple signers, be encrypted, decrypted, and verified.
You can purchase an S/MIME email (user) certificate from almost any public CA (Certification Authority). For this exercise, we are using an email certificate issued and signed by Actalis, one of the only free email certificates available today.
If using the downloaded PKCS12 (.pfx) from Actalis, the openssl smime commands require the .pfx to be converted to .pem. Follow these steps to convert:
To extract the private key alone:
openssl pkcs12 -in example.pfx -nocerts -out example.key -nodes
To extract the certificate alone:
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt
To convert the entire .pfx to .pem:
openssl pkcs12 -in example.pfx -out example.pem -nodes
openssl smime encrypt
To encrypt an S/MIME message with openssl, use the following command:
openssl smime -encrypt -in message.txt -aes256 -out mail.msg misterpki.pem
Where -encrypt
means encrypt, -in message.txt
is the plain text message to be encrypted, -aes256
is the encryption algorithm, -out mail.msg
will hold the encrypted message, and misterpki.pem
is the pem encoded certificate and private key file.
openssl smime decrypt
To decrypt an S/MIME message with openssl, use the following command:
openssl smime -decrypt -in mail.msg -recip misterpki.pem -inkey misterpki.key
Where -decrypt
means decrypt, -in mail.msg
is the encrypted message, -recip misterpki.pem
is the certificate having the public key used to encrypt with, and -inkey misterpki.key
is the private key being used to decrypt the message.
openssl smime sign
To sign an S/MIME message with openssl, use the following command:
openssl smime -sign -in message.txt -text -out mail.msg -signer misterpki.pem
Where -sign
means to digitally sign the message, -in message.txt
is the message to be signed, -text
adds plain text MIME headers to the signed message, -out mail.msg
is the signed message, and -signer misterpki.pem
is the pem encoded certificate and private key file.
openssl smime verify
To verify an S/MIME signed message with openssl, use the following command:
openssl smime -verify -in mail.msg -CAfile misterpki-chain.pem -signer user.pem -out signedtext.txt
Where -verify
means verify the digital signature, -in mail.msg
is the signed message, -CAfile misterpki-chain.pem
is the chain and is required if not a self-signed certificate, -signer user.pem will create the user.pem file to store the signer’s certificate, and -out signedtext.txt
will store the signed text.
Read the official openssl docs for more detailed information.
Leave a Reply