Your Search Results

    NSS tools : cmsutil


    cmsutil — Performs basic cryptograpic operations, such as encryption and
    decryption, on Cryptographic Message Syntax (CMS) messages.


    cmsutil [options] arguments


    The cmsutil command-line uses the S/MIME Toolkit to perform basic
    operations, such as encryption and decryption, on Cryptographic Message
    Syntax (CMS) messages.

    To run cmsutil, type the command cmsutil option [arguments] where option
    and arguments are combinations of the options and arguments listed in the
    following section. Each command takes one option. Each option may take
    zero or more arguments. To see a usage string, issue the command without

    Options and Arguments


    Options specify an action. Option arguments modify an action. The options
    and arguments for the cmsutil command are defined as follows:


    Decode a message.


    Encrypt a message.


    Envelope a message.


    Create a certificates-only message.


    Sign a message.


    Option arguments modify an action and are lowercase.

    -c content

    Use this detached content (decode only).

    -d dbdir

    Specify the key/certificate database directory (default is ".")

    -e envfile

    Specify a file containing an enveloped message for a set of
    recipients to which you would like to send an encrypted message.
    If this is the first encrypted message for that set of recipients,
    a new enveloped message will be created that you can then use for
    future messages (encrypt only).


    Include a signing time attribute (sign only).

    -h num

    Generate email headers with info about CMS message (decode only).

    -i infile

    Use infile as a source of data (default is stdin).

    -N nickname

    Specify nickname of certificate to sign with (sign only).


    Suppress output of contents (decode only).

    -o outfile

    Use outfile as a destination of data (default is stdout).


    Include an S/MIME capabilities attribute.

    -p password

    Use password as key database password.

    -r recipient1,recipient2, ...

    Specify list of recipients (email addresses) for an encrypted or
    enveloped message. For certificates-only message, list of
    certificates to send.


    Suppress content in CMS message (sign only).

    -u certusage

    Set type of cert usage (default is certUsageEmailSigner).

    -Y ekprefnick

    Specify an encryption key preference by nickname.


    Encrypt Example

    cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile

    Decode Example

    cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]

    Envelope Example

    cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..."

    Certificate-only Example

    cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."

    Sign Message Example

    cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]

    See also


    See Also

    Additional Resources

    NSS is maintained in conjunction with PKI and security-related projects
    through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
    with a project wiki at [1]

    For information specifically about NSS, the NSS project wiki is located at
    [2] The NSS site relates
    directly to NSS code changes and releases.

    Mailing lists: and

    IRC: Freenode at #dogtag-pki


    The NSS tools were written and maintained by developers with Netscape and
    now with Red Hat.

    Authors: Elio Maldonado <>, Deon Lackey


    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.


    Visible links

    Document Tags and Contributors

    Contributors to this page: Sheppy,
    Last updated by: Sheppy,