- -encrypt
encrypt mail for the given recipient certificates. Input file
is the message to be encrypted. The output file is the
encrypted mail in MIME format. The actual CMS type is
<B>EnvelopedData<B>.
- -decrypt
decrypt mail using the supplied certificate and private key.
Expects an encrypted mail message in MIME format for the
input file. The decrypted mail is written to the output file.
- -sign
sign mail using the supplied certificate and private key.
Input file is the message to be signed. The signed message in
MIME format is written to the output file.
- -verify
verify signed mail. Expects a signed mail message on input
and outputs the signed data. Both clear text and opaque
signing is supported.
- -cmsout
takes an input message and writes out a PEM encoded CMS
structure.
- -resign
resign a message: take an existing message and one or more
new signers.
- -data_create
Create a CMS Data type.
- -data_out
Data type and output the
content.
- -digest_create
Create a CMS DigestedData
type.
- -digest_verify
Verify a CMS DigestedData
type and output the content.
- -compress
Create a CMS CompressedData
type. OpenSSL must be compiled with zlib support for this option to work,
otherwise it will output an error.
- -uncompress
Uncompress a CMS CompressedData type and output the
content. OpenSSL must be compiled with zlib support for this option to work,
otherwise it will output an error.
- -EncryptedData_encrypt
Encrypt suppled content using supplied symmetric key and
algorithm using a CMS EncrytedData type and output the
content.
- -sign_receipt
Generate and output a signed receipt for the supplied
message. The input message must contain a signed receipt request.
Functionality is otherwise similar to the -sign operation.
- -verify_receipt receipt
Verify a signed receipt in filename receipt. The input message must contain the original receipt
request. Functionality is otherwise similar to the -verify operation.
- -in filename
the input message to be encrypted or signed or the message to
be decrypted or verified.
- -inform SMIME|PEM|DER
this specifies the input format for the CMS structure. The
default is SMIME which reads
an S/MIME format message. PEM and DER format change this to expect PEM
and DER format CMS structures instead. This currently only
affects the input format of the CMS structure, if no CMS
structure is being input (for example with -encrypt or -sign) this option has no effect.
- -rctform SMIME|PEM|DER
specify the format for a signed receipt for use with the
-receipt_verify operation.
- -out filename
the message text that has been decrypted or verified or the
output MIME format message that has been signed or verified.
- -outform SMIME|PEM|DER
this specifies the output format for the CMS structure. The
default is SMIME which
writes an S/MIME format message. PEM and DER format change this to write PEM
and DER format CMS structures instead. This currently only
affects the output format of the CMS structure, if no CMS
structure is being output (for example with -verify or -decrypt) this option has no effect.
- -stream -indef -noindef
the -stream and -indef options are equivalent and
enable streaming I/O for encoding operations. This permits
single pass processing of data without the need to hold the
entire contents in memory, potentially supporting very large
files. Streaming is automatically set for S/MIME signing with
detached data if the output format is SMIME it is currently off by default
for all other operations.
- -noindef
disable streaming I/O where it would produce and indefinite
length constructed encoding. This option currently has no
effect. In future streaming will be enabled by default on all
relevant operations and this option will disable it.
- -content filename
This specifies a file containing the detached content, this
is only useful with the -verify command. This is only usable
if the CMS structure is using the detached signature form
where the content is not included. This option will override
any content if the input format is S/MIME and it uses the
multipart/signed MIME content type.
- -text
this option adds plain text (text/plain) MIME headers to the
supplied message if encrypting or signing. If decrypting or
verifying it strips off text headers: if the decrypted or
verified message is not of MIME type text/plain then an error
occurs.
- -noout
for the -cmsout operation do
not output the parsed CMS structure. This is useful when
combined with the -print
option or if the syntax of the CMS structure is being
checked.
- -print
for the -cmsout operation
print out all fields of the CMS structure. This is mainly
useful for testing purposes.
- -CAfile file
a file containing trusted CA certificates, only used with
-verify.
- -CApath dir
a directory containing trusted CA certificates, only used
with -verify. This directory
must be a standard certificate directory: that is a hash of
each subject name (using x509
-hash) should be linked to each certificate.
- -md digest
digest algorithm to use when signing or resigning. If not
present then the default digest algorithm for the signing key
will be used (usually SHA1).
- -[cipher]
the encryption algorithm to use. For example triple DES (168
bits) - -des3 or 256 bit AES
- -aes256. Any standard
algorithm name (as used by the EVP_get_cipherbyname()
function) can also be used preceded by a dash, for example
-aes_128_cbc. See enc for a list of ciphers
supported by your version of OpenSSL.
If not specified triple DES is used. Only used with -encrypt and -EncryptedData_create commands.
- -nointern
when verifying a message normally certificates (if any)
included in the message are searched for the signing
certificate. With this option only the certificates specified
in the -certfile option are
used. The supplied certificates can still be used as
untrusted CAs however.
- -no_signer_cert_verify
do not verify the signers certificate of a signed message.
- -nocerts
when signing a message the signer's certificate is normally
included with this option it is excluded. This will reduce
the size of the signed message but the verifier must have a
copy of the signers certificate available locally (passed
using the -certfile option
for example).
- -noattr
normally when a message is signed a set of attributes are
included which include the signing time and supported
symmetric algorithms. With this option they are not included.
- -nosmimecap
exclude the list of supported algorithms from signed
attributes, other options such as signing time and content
type are still included.
- -binary
normally the input message is converted to "canonical" format
which is effectively using CR and LF as end of line: as
required by the S/MIME specification. When this option is
present no translation occurs. This is useful when handling
binary data which may not be in MIME format.
- -nodetach
when signing a message use opaque signing: this form is more
resistant to translation by mail relays but it cannot be read
by mail agents that do not support S/MIME. Without this
option cleartext signing with the MIME type multipart/signed
is used.
- -certfile file
allows additional certificates to be specified. When signing
these will be included with the message. When verifying these
will be searched for the signers certificates. The
certificates should be in PEM format.
- -certsout file
any certificates contained in the message are written to
file.
- -signer file
a signing certificate when signing or resigning a message,
this option can be used multiple times if more than one
signer is required. If a message is being verified then the
signers certificates will be written to this file if the
verification was successful.
- -recip file
the recipients certificate when decrypting a message. This
certificate must match one of the recipients of the message
or an error occurs.
- -keyid
use subject key identifier to identify certificates instead
of issuer name and serial number. The supplied certificate
must include a subject key
identifier extension. Supported by -sign and -encrypt options.
- -receipt_request_all -receipt_request_first
for -sign option include a
signed receipt request. Indicate requests should be provided
by all receipient or first tier recipients (those mailed
directly and not from a mailing list). Ignored it -receipt_request_from is included.
- -receipt_request_from emailaddress
for -sign option include a
signed receipt request. Add an explicit email address where
receipts should be supplied.
- -receipt_request_to emailaddress
Add an explicit email address where signed receipts should be
sent to. This option must
but supplied if a signed receipt it requested.
- -receipt_request_print
For the -verify operation
print out the contents of any signed receipt requests.
- -secretkey key
specify symmetric key to use. The key must be supplied in hex
format and be consistent with the algorithm used. Supported
by the -EncryptedData_encrypt -EncrryptedData_decrypt, -encrypt and -decrypt options. When used with
-encrypt or -decrypt the supplied key is used to
wrap or unwrap the content encryption key using an AES key in
the KEKRecipientInfo type.
- -secretkeyid id
the key identifier for the supplied symmetric key for
KEKRecipientInfo type. This
option must be present if
the -secretkey option is
used with -encrypt. With
-decrypt operations the
id is used to locate the
relevant key if it is not supplied then an attempt is used to
decrypt any KEKRecipientInfo
structures.
- -econtent_type type
set the encapsulated content type to type if not supplied the Data type is used. The type argument can be any valid OID
name in either text or numerical format.
- -inkey file
the private key to use when signing or decrypting. This must
match the corresponding certificate. If this option is not
specified then the private key must be included in the
certificate file specified with the -recip or -signer file. When signing this option
can be used multiple times to specify successive keys.
- -passin arg
the private key password source. For more information about
the format of arg see the
PASS PHRASE ARGUMENTS
section in openssl(1).
- -rand file(s)
a file or files containing random data used to seed the
random number generator, or an EGD socket (see RAND_egd(3)). Multiple
files can be specified separated by a OS-dependent character.
The separator is ; for
MS-Windows, , for OpenVMS,
and : for all others.
- cert.pem...
one or more certificates of message recipients: used when
encrypting a message.
- -to, -from, -subject
the relevant mail headers. These are included outside the
signed portion of a message so they may be included manually.
If signing then many S/MIME mail clients check the signers
certificate's email address matches that specified in the
From: address.
- -purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig
Set various certificate chain valiadition option. See the
verify manual page for details.
