LinuxCommandLibrary

pkcs7.1s

Verify PKCS#7/CMS signatures and data

SYNOPSIS

openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-nointern] [-noverify] [-nochain] [-nocerts] [-print_certs] [-text] [-noattr] [-certfile filename] [-CAfile filename] [-CApath directory] [-signer filename] [-sign] [-passin arg] [-inkey filename] [-encrypt] [-des|-des3|-idea] [-recip filename] [-decrypt] [-pass arg] [-content filename] [-binary] [-stream] [-nodetach] [-noout]

PARAMETERS

-inform PEM|DER
    Input format: PEM or DER. DER is binary, PEM is base64 encoded.

-outform PEM|DER
    Output format: PEM or DER.

-in filename
    Input filename.

-out filename
    Output filename.

-nointern
    Don't search certificates in the message for the signer. Only use the -certfile and -CAfile options.

-noverify
    Don't verify the signers certificate.

-nochain
    Don't build certificate chain with supplied untrusted certificates.

-nocerts
    Don't include any certificates in the output.

-print_certs
    Print all certificates in the message.

-text
    Print out human-readable text version of the data and each certificates.

-noattr
    When signing, don't include any attributes (e.g., signing time).

-certfile filename
    File containing additional certificates to search.

-CAfile filename
    Trusted CA file.

-CApath directory
    Trusted CA directory.

-signer filename
    Signing certificate filename.

-sign
    Sign the data.

-passin arg
    Input pass phrase source.

-inkey filename
    Signing key filename. Defaults to signer.

-encrypt
    Encrypt the data.

-des|-des3|-idea
    Encryption algorithm to use.

-recip filename
    Recipient certificate file. Can be specified multiple times.

-decrypt
    Decrypt the data.

-pass arg
    Decryption password source.

-content filename
    Supply content from file (for -sign or -encrypt)

-binary
    Output in binary format.

-stream
    Streaming operation.

-nodetach
    Don't detach the signature from data.

-noout
    Don't output the content (useful for verifying only).

DESCRIPTION

The pkcs7 command is a command-line utility used to handle data conforming to the Public-Key Cryptography Standards #7 (PKCS#7) specification. Primarily, it's designed for working with digital signatures and encryption. It allows users to verify digital signatures attached to files, extract the content of signed documents, encrypt and decrypt data using PKCS#7 enveloped data format. It provides tools for managing certificates and keys related to PKCS#7. pkcs7 is commonly used in scenarios where secure communication and data integrity are crucial, such as email security (S/MIME), software distribution, and data archiving. Functionality includes signature verification, content extraction, enveloped data encryption/decryption and certificate operations. It leverages cryptographic libraries (like OpenSSL) to perform the necessary cryptographic operations. The command supports various options to customize its behavior, allowing for handling different PKCS#7 structures, certificate stores, and output formats.
It is part of the openssl command and shares the same manual page.

USAGE EXAMPLES

  • Signing a file: openssl pkcs7 -sign -in myfile.txt -out signed.pk7 -signer mycert.pem -inkey mykey.pem
  • Verifying a signature: openssl pkcs7 -verify -in signed.pk7 -CAfile ca.pem
  • Decrypting an encrypted file: openssl pkcs7 -decrypt -in encrypted.pk7 -inkey mykey.pem -out decrypted.txt

SEE ALSO

openssl(1), cms(1)

Copied to clipboard