Sending S/MIME email using OpenSSL

Create the body text of your message and store it in a separate file. Have your X.509 cert and the associated private key at hand and then run the following commands:

openssl smime -sign -in message -out signed-message \
	-signer /path/to/your/certificate.pem \
	-inkey  /path/to/your/secret-key.pem -text

If you also want to encrypt your mail (normally not necessary for approving user requests, unless you transfer private information about the subject), also run the message through S/MIME encryption:
openssl smime -encrypt -out encrypted-signed-message \
	-in signed-message /path/to/intended-operators/certificate.pem
Please do not encrypt your mail unnecessarily, since your encrypted mail can only be read by your chosen CA operator. This may delay signing of the user certs until that operator is available. You can select the certificate of the operator of your choice at the Operator List pages, selecting a PEM (or DER) formatted certificate.

Verifying and decrypting mail (the other side)

On arrival, the NIKHEF CA operator will verify your signature (i.e. are you indeed the person you claim to be) and the integraty of your message. If the message is encrypted, decryption will be by:

openssl smime -decrypt -in encrypted-signed-message \
	-out received-msg \
	-recip /path/to/operators/certificate.pem \
	-inkey /path/to/operators/private-key.pem
Subsequently, the signature is validated and the message read:
openssl smime -verify -text -CApath /global/globus/share/certificates \
	-in received-msg
This will print the content of the message and verify the valitidy of the certificate chain. Finally, the recipient checks whether the signer is indeed the appropriate sender:
openssl smime -pk7out -in received-msg | openssl pkcs7 -print_certs -noout
This will result in the DN of the signing subject (e.g. the RA's name).
David Groep <>