cms.1s

openssl cms [operation] [options]

openssl cms is the OpenSSL utility for handling Cryptographic Message Syntax (CMS) data. CMS is a standard for cryptographic protection of data, defined in RFC 5652, and is the successor to PKCS#7.The command provides operations for signing, verification, encryption, and decryption of data. It supports multiple content types, allows detached signatures, and handles S/MIME email format. CMS is widely used in secure email (S/MIME), digital signatures, and encrypted data containers.Key operations include creating signed messages with optional timestamp authority integration, encrypting data for multiple recipients with different certificates, and verifying signatures against certificate chains with proper trust validation.

-sign

Sign the input data with certificate and private key.

Verify a signed CMS message.

Encrypt the input data for one or more recipients.

Decrypt a CMS encrypted message.

Input file to process.

Output file for the result.

Certificate file to use for signing.

Recipient certificate for encryption or decryption.

Private key file for signing or decryption.

File containing trusted CA certificates for verification.

Include the signed content within the CMS message (not detached).

Do not verify the signer's certificate.

Add text/plain MIME headers for S/MIME email.

Certificate trust chains must be properly configured for verification. Self-signed certificates require explicit trust settings. The -noverify option bypasses certificate validation and should only be used for testing. Default encryption algorithms may vary by OpenSSL version.

CMS was standardized as RFC 5652 in 2009, building upon PKCS#7 from RSA Laboratories. OpenSSL added the cms command as an improvement over the older smime command, offering better support for CMS-specific features and more modern cryptographic options.

x509(1), openssl(1)