[B<-signer file>]
[B<-recip file>]
[B<-in file>]
+[B<-inform SMIME|PEM|DER>]
[B<-inkey file>]
[B<-out file>]
+[B<-outform SMIME|PEM|DER>]
+[B<-content file>]
[B<-to addr>]
[B<-from ad>]
[B<-subject s>]
[B<-text>]
+[B<-rand file(s)>]
[cert.pem]...
=head1 DESCRIPTION
the input message to be encrypted or signed or the MIME message to
be decrypted or verified.
+=item B<-inform SMIME|PEM|DER>
+
+this specifies the input format for the PKCS#7 structure. The default
+is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
+format change this to expect PEM and DER format PKCS#7 structures
+instead. This currently only affects the input format of the PKCS#7
+structure, if no PKCS#7 structure is being input (for example with
+B<-encrypt> or B<-sign>) this option has no effect.
+
=item B<-out filename>
the message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
+=item B<-outform SMIME|PEM|DER>
+
+this specifies the output format for the PKCS#7 structure. The default
+is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
+format change this to write PEM and DER format PKCS#7 structures
+instead. This currently only affects the output format of the PKCS#7
+structure, if no PKCS#7 structure is being output (for example with
+B<-verify> or B<-decrypt>) this option has no effect.
+
+=item B<-content filename>
+
+This specifies a file containing the detached content, this is only
+useful with the B<-verify> command. This is only usable if the PKCS#7
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed MIME content type.
+
=item B<-text>
this option adds plain text (text/plain) MIME headers to the supplied
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file.
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
=item B<cert.pem...>
one or more certificates of message recipients: used when encrypting
achieve the correct format.
The supplied message to be signed or encrypted must include the
-necessary MIME headers: or many S/MIME clients wont display it
+necessary MIME headers or many S/MIME clients wont display it
properly (if at all). You can use the B<-text> option to automatically
add plain text headers.
Create a cleartext signed message:
- openssl smime -sign -in message.txt -text -out mail.msg
- -signer mycert.pem
+ openssl smime -sign -in message.txt -text -out mail.msg \
+ -signer mycert.pem
Create and opaque signed message
- openssl smime -sign -in message.txt -text -out mail.msg -nodetach
- -signer mycert.pem
+ openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
+ -signer mycert.pem
Create a signed message, include some additional certificates and
read the private key from another file:
- openssl smime -sign -in in.txt -text -out mail.msg
- -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+ openssl smime -sign -in in.txt -text -out mail.msg \
+ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
Send a signed message under Unix directly to sendmail, including headers:
- openssl smime -sign -in in.txt -text -signer mycert.pem -from steve@openssl.org
- -to someone@somewhere -subject "Signed message" | sendmail someone@somewhere
+ openssl smime -sign -in in.txt -text -signer mycert.pem \
+ -from steve@openssl.org -to someone@somewhere \
+ -subject "Signed message" | sendmail someone@somewhere
Verify a message and extract the signer's certificate if successful:
Send encrypted mail using triple DES:
- openssl smime -encrypt -in in.txt -from steve@openssl.org -to someone@somewhere
- -subject "Encrypted message" -des3 user.pem -out mail.msg
+ openssl smime -encrypt -in in.txt -from steve@openssl.org \
+ -to someone@somewhere -subject "Encrypted message" \
+ -des3 user.pem -out mail.msg
Sign and encrypt mail:
- openssl smime -sign -in ml.txt -signer my.pem -text | openssl -encrypt -out mail.msg
- -from steve@openssl.org -to someone@somewhere -subject "Signed and Encrypted message"
- -des3 user.pem
+ openssl smime -sign -in ml.txt -signer my.pem -text \
+ | openssl -encrypt -out mail.msg \
+ -from steve@openssl.org -to someone@somewhere \
+ -subject "Signed and Encrypted message" -des3 user.pem
Note: the encryption command does not include the B<-text> option because the message
being encrypted already has MIME headers.
openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
+The output from Netscape form signing is a PKCS#7 structure with the
+detached signature format. You can use this program to verify the
+signature by line wrapping the base64 encoded structure and surrounding
+it with:
+
+ -----BEGIN PKCS7----
+ -----END PKCS7----
+
+and using the command,
+
+ openssl smime -verify -inform PEM -in signature.pem -content content.txt
+
+alternatively you can base64 decode the signature and use
+
+ openssl smime -verify -inform DER -in signature.der -content content.txt
+
=head1 BUGS
The MIME parser isn't very clever: it seems to handle most messages that I've thrown