openssl smime message signing: why do I need a -certfile key?

Question

Here is how one should sign a message with openssl smime? according to the docs

openssl smime -sign -in in.txt -text -out mail.msg -signer mycert.pem \
 -inkey mykey.pem -certfile mycerts.pem

But why is there a -signer key with a certificate -- isn't a private key passed in -inkey enough for message signing? Isn't it just a usual asymmetric encryption scheme, where my private key is for message signing and my certificate (i.e., signed public key corresponding to my private key) is for my counterpart to encrypt the message?

score 1 · Answer 1 · answered Aug 27 '15 at 12:20

1

As far as I found out this is for the second side to verify your signature -- in case if it does not have that certificate.

answered Aug 27 '15 at 12:20

Vadim Samokhin

121
6

score 1 · Answer 2 · answered Sep 16 '15 at 23:39

This is a little more complicated, than that.

While, in essence, you CAN sign messages with random keys, without a certificate identification, it will be instantly invalidated by a verifying party.

You need a certificate with proper flags to be able to create legitimate signature. If it is a transparent signature (wrap), receiving party will not need your certificate to read message contents or evaluate message integrity, however, it will still need it to establish authenticity.

openssl smime message signing: why do I need a -certfile key?

2 Answers2