用途：

S/MIME工具，用于处理S/MIME邮件，它能加密、解密、签名和验证S/MIME消息

语法：

openssl smime

[-encrypt] [-decrypt] [-sign] [-verify] [-pk7out] [-nointern] [-nosigs]

[-noverify] [-nocerts] [ -nodetach] [-noattr] [-binary] [-

in

file

]

[-inform SMIME|PEM|DER] [-certfile

file

] [-signer

file

] [-recip

file

]

[-passin arg] [-inkey

file

] [-keyform PEM |ENGINE] [-out

file

]

[-outform SMIME|PEM|DER] [-content

file

] [-to addr] [-from ad] [-subject s]

[-text] [-CApath directory] [-CAfile filename] [-crl_check] [-crl_check_all]

[-indef] [-noindef] [-stream] [-rand

file

(s)] [-md digest] [cert.pem…] [-des]

[-des3] [-rc2-

40

] [-rc2-

64

] [-rc2-

128

]

参数说明：

-encrypt encrypt message

-decrypt decrypt encrypted message

-sign sign message

-verify verify signed message

-pk7out output PKCS#7 structure

-des3 encrypt with triple DES

-des encrypt with DES

-seed encrypt with SEED

-rc2-40 encrypt with RC2-40 (default)

-rc2-64 encrypt with RC2-64

-rc2-128 encrypt with RC2-128

-aes128, -aes192, -aes256

encrypt PEM output with cbc aes

-camellia128, -camellia192, -camellia256

encrypt PEM output with cbc camellia

-nointern don't search certificates in message for signer

-nosigs don't verify message signature

-noverify don't verify signers certificate

-nocerts don't include signers certificate when signing

-nodetach use opaque signing

-noattr don't include any signed attributes

-binary don't translate message to text

-certfile file other certificates file

-signer file signer certificate file

-recip file recipient certificate file for decryption

-in file input file

-inform arg input format SMIME (default), PEM or DER

-inkey file input private key (if not signer or recipient)

-keyform arg input private key format (PEM or ENGINE)

-out file output file

-outform arg output format SMIME (default), PEM or DER

-content file supply or override content for detached signature

-to addr to address

-from ad from address

-subject s subject

-text include or delete text MIME headers

-CApath dir trusted certificates directory

-CAfile file trusted certificates file

-trusted_first use trusted certificates first when building the trust chain

-crl_check check revocation status of signer's certificate using CRLs

-crl_check_all check revocation status of signer's certificate chain using CRLs

-engine e use engine e, possibly a hardware device.

-passin arg input file pass phrase source

-rand file:file:...

load the file (or the files in the directory) into

the random number generator

cert.pem recipient certificate(s) for encryption

例子：

1、进行数字签名

openssl smime -verify -CAfile certself.pem -

in

install_sign.msg -out install_verify.log

openssl smime -verify -noverify -CAfile certself.pem -signer certself.pem -

in

text_sign.msg -out text_verify.log

openssl smime -verify -nodetach -CAfile certself.pem -signer certself.pem -

in

text_sign.msg -out text_verify.log

2、进行签名验证

openssl smime -verify -CAfile certself.pem -

in

install_sign.msg -out install_verify.log

openssl smime -verify -noverify -CAfile certself.pem -signer certself.pem -

in

text_sign.msg -out text_verify.log

openssl smime -verify -nodetach -CAfile certself.pem -signer certself.pem -

in

text_sign.msg -out text_verify.log

3、进行数字信封加密

openssl smime -encrypt -

in

install

.log -out install_evp.enc certself.pem

4、进行数字信封解密

openssl smime -decrypt -

in

install_evp.enc -out install_ope.log -inkey prikey.pem

5、smime格式与pkcs#7格式的互转

openssl smime -

in

text_sign.msg -pk7out -out test_pkcs.pem

openssl pkcs7 -in test_pkcs.pem -text

 

openssl系列命令大纲：