|Sending S/MIME email using OpenSSL|
Create the body text of your message and store it in a separate file. Have your X.509 cert and the associated private key at hand and then run the following commands:
openssl smime -sign -in message -out signed-message \ -signer /path/to/your/certificate.pem \ -inkey /path/to/your/secret-key.pem -text
openssl smime -encrypt -out encrypted-signed-message \ -in signed-message /path/to/intended-operators/certificate.pemPlease do not encrypt your mail unnecessarily, since your encrypted mail can only be read by your chosen CA operator. This may delay signing of the user certs until that operator is available. You can select the certificate of the operator of your choice at the Operator List pages, selecting a PEM (or DER) formatted certificate.
|Verifying and decrypting mail (the other side)|
On arrival, the NIKHEF CA operator will verify your signature (i.e. are you indeed the person you claim to be) and the integraty of your message. If the message is encrypted, decryption will be by:
openssl smime -decrypt -in encrypted-signed-message \ -out received-msg \ -recip /path/to/operators/certificate.pem \ -inkey /path/to/operators/private-key.pemSubsequently, the signature is validated and the message read:
openssl smime -verify -text -CApath /global/globus/share/certificates \ -in received-msgThis will print the content of the message and verify the valitidy of the certificate chain. Finally, the recipient checks whether the signer is indeed the appropriate sender:
openssl smime -pk7out -in received-msg | openssl pkcs7 -print_certs -nooutThis will result in the DN of the signing subject (e.g. the RA's name).