pkcs7.1s
Verify PKCS#7/CMS signatures and data
SYNOPSIS
openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-nointern] [-noverify] [-nochain] [-nocerts] [-print_certs] [-text] [-noattr] [-certfile filename] [-CAfile filename] [-CApath directory] [-signer filename] [-sign] [-passin arg] [-inkey filename] [-encrypt] [-des|-des3|-idea] [-recip filename] [-decrypt] [-pass arg] [-content filename] [-binary] [-stream] [-nodetach] [-noout]
PARAMETERS
-inform PEM|DER
Input format: PEM or DER. DER is binary, PEM is base64 encoded.
-outform PEM|DER
Output format: PEM or DER.
-in filename
Input filename.
-out filename
Output filename.
-nointern
Don't search certificates in the message for the signer. Only use the -certfile and -CAfile options.
-noverify
Don't verify the signers certificate.
-nochain
Don't build certificate chain with supplied untrusted certificates.
-nocerts
Don't include any certificates in the output.
-print_certs
Print all certificates in the message.
-text
Print out human-readable text version of the data and each certificates.
-noattr
When signing, don't include any attributes (e.g., signing time).
-certfile filename
File containing additional certificates to search.
-CAfile filename
Trusted CA file.
-CApath directory
Trusted CA directory.
-signer filename
Signing certificate filename.
-sign
Sign the data.
-passin arg
Input pass phrase source.
-inkey filename
Signing key filename. Defaults to signer.
-encrypt
Encrypt the data.
-des|-des3|-idea
Encryption algorithm to use.
-recip filename
Recipient certificate file. Can be specified multiple times.
-decrypt
Decrypt the data.
-pass arg
Decryption password source.
-content filename
Supply content from file (for -sign or -encrypt)
-binary
Output in binary format.
-stream
Streaming operation.
-nodetach
Don't detach the signature from data.
-noout
Don't output the content (useful for verifying only).
DESCRIPTION
The pkcs7 command is a command-line utility used to handle data conforming to the Public-Key Cryptography Standards #7 (PKCS#7) specification. Primarily, it's designed for working with digital signatures and encryption. It allows users to verify digital signatures attached to files, extract the content of signed documents, encrypt and decrypt data using PKCS#7 enveloped data format. It provides tools for managing certificates and keys related to PKCS#7. pkcs7 is commonly used in scenarios where secure communication and data integrity are crucial, such as email security (S/MIME), software distribution, and data archiving. Functionality includes signature verification, content extraction, enveloped data encryption/decryption and certificate operations. It leverages cryptographic libraries (like OpenSSL) to perform the necessary cryptographic operations. The command supports various options to customize its behavior, allowing for handling different PKCS#7 structures, certificate stores, and output formats.
It is part of the openssl command and shares the same manual page.
USAGE EXAMPLES
- Signing a file: openssl pkcs7 -sign -in myfile.txt -out signed.pk7 -signer mycert.pem -inkey mykey.pem
- Verifying a signature: openssl pkcs7 -verify -in signed.pk7 -CAfile ca.pem
- Decrypting an encrypted file: openssl pkcs7 -decrypt -in encrypted.pk7 -inkey mykey.pem -out decrypted.txt
SEE ALSO
openssl(1), cms(1)