Plaatsingsdatum: Oct 15, 2010 10:41:46 AM
Let’s say that someone sends you her public certificate and asks that you encrypt some message to her. You’ve saved her certificate as her-cert.pem. You’ve saved your reply as my-message.txt.
To get the default—though fairly weak—RC2-40 encryption, you just tell openssl where the message and the certificate are located.
openssl smime -encrypt -in my-message.txt her-cert.pem
If you’re pretty sure your remote correspondent has a robust SSL toolkit, you can specify a stronger encryption algorithm like triple DES:
openssl smime -encrypt -des3 -in my-message.txt her-cert.pem
By default, the encrypted message, including the mail headers, is sent to standard output. Use the -out option or your shell to redirect it to a file. Or, much trickier, pipe the output directly to sendmail. You might want to use the -text option
openssl smime \
-encrypt \
-des3 \
-in my-message.txt \
-from 'Your Fullname <you@youraddress.com>' \
-to 'Her Fullname <her@heraddress.com>' \
-subject 'My encrypted reply' her-cert.pem |\
sendmail her@heraddress.com
How do I sign a S/MIME message?
If you don’t need to encrypt the entire message, but you do want to sign it so that your recipient can be assured of the message’s integrity, the recipe is similar to that for encryption. The main difference is that you need to have your own key and certificate, since you can’t sign anything with the recipient’s cert.
openssl smime \
-sign \
-signer /path/to/your-cert.pem \
-in my-message.txt \
-from 'Your Fullname <you@youraddress.com>' \
-to 'Her Fullname <her@heraddress.com>' \
-subject 'My signed reply' |\
sendmail her@heraddress.com
convert DER (.crt .cer .der) to PEM
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
convert PEM to DER
openssl x509 -outform der -in MYCERT.pem -out MYCERT.der
convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates
openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes
add -nocerts for private key only; add -nokeys for certificates only
convert (add) a seperate key and certificate to a new keystore of type PKCS#12
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"
convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain
you can repeat the combination of "-CAfile" and "-caname" for each intermediate certificate