smime.1s

openssl smime [options] [input_file]

Common operations include:
openssl smime -sign ...
openssl smime -verify ...
openssl smime -encrypt ...
openssl smime -decrypt ...

-sign
    Signs the message using the provided certificate and private key.

-verify
    Verifies a signed message, checking the signature and certificate chain.

-encrypt
    Encrypts the message using the specified cipher algorithm (e.g., des3, aes256).

-decrypt
    Decrypts an encrypted S/MIME message using the recipient's private key.

-in
    Specifies the input file for the S/MIME operation. Defaults to standard input.

-out
    Specifies the output file for the result. Defaults to standard output.

-signer
    Certificate of the signer in PEM format (for `-sign`).

-recip
    Recipient's certificate for decryption (for `-decrypt`).

-inkey
    Private key file to use for signing or decryption.

-passin
    Source for the private key's passphrase (e.g., 'pass:mypass', 'file:key.pass').

-inform
    Input format for certificates or PKCS#7 structures (PEM, DER, SMIME).

-outform
    Output format for the resulting S/MIME message or data (PEM, DER, SMIME).

-md
    Message digest algorithm to use for signing (e.g., sha256, sha512).

-binary
    Disables MIME canonicalization; useful for processing raw binary data.

-text
    Adds text/plain MIME content type to output and canonicalizes line endings to CRLF.

-nodetach
    Produce an opaque (embedded) signature instead of a detached one (for `-sign`).

The `smime` command, part of the OpenSSL toolkit, is a versatile utility for processing S/MIME (Secure/Multipurpose Internet Mail Extensions) messages. It implements the Cryptographic Message Syntax (CMS) standard, defined in RFC 5652, which is a superset of the older PKCS#7 standard.

This command enables various cryptographic operations crucial for secure communication: signing messages to provide digital signatures for integrity and non-repudiation; verifying signatures to ensure message authenticity; encrypting messages for confidentiality; and decrypting previously encrypted data. It can read input from standard input or a specified file and write output to standard output or a designated file.

`smime` is widely used for securing email communications but is also applicable for general data security where CMS-formatted data is required. It leverages X.509 certificates and private keys, making it an essential tool in PKI-enabled environments for handling encrypted and signed content.

Using `smime` requires a solid understanding of cryptographic concepts, X.509 certificates, and private key management. Misconfiguration of certificates or keys can lead to verification failures or inability to decrypt messages. The command's flexibility means many options, which can be overwhelming for new users. Ensure proper handling of passphrases and secure storage of private keys.

Unlike PGP's 'web of trust', S/MIME relies on a hierarchical Public Key Infrastructure (PKI) where X.509 certificates are typically issued and validated by Certificate Authorities (CAs).

A detached signature (default for `-sign`) keeps the original content separate from the signature, often sent as a multipart message. An opaque signature (with `-nodetach`) embeds the content within the signed message, making it a single self-contained unit.

The `smime` command in OpenSSL is a long-standing utility for handling S/MIME messages, evolving with the CMS standard (RFC 5652). It provides a command-line interface to OpenSSL's underlying cryptographic libraries, making it indispensable for script-based automation and integration in secure messaging workflows. Its roots trace back to the need for interoperable secure email and data exchange standards, with OpenSSL providing one of the most robust and widely adopted open-source implementations.

openssl(1), openssl-x509(1), openssl-pkcs7(1), openssl-crl(1), openssl-req(1)