Cryptography and SSL/TLS Toolkit



openssl-pkcs7 - PKCS#7 utility


openssl pkcs7 [-help] [-inform DER|PEM] [-outform DER|PEM] [-in filename] [-out filename] [-print_certs] [-text] [-noout] [-engine id]


This command processes PKCS#7 files. Note that it only understands PKCS#7 v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as described in IETF RFC 2630.

There is no option to print out all the fields of a PKCS#7 file.



Print out a usage message.

-inform DER|PEM, -outform DER|PEM

The input and formats; the default is PEM. See "Format Options" in openssl(1) for details.

The data is a PKCS#7 Version 1.5 structure.

-in filename

This specifies the input filename to read from or standard input if this option is not specified.

-out filename

Specifies the output filename to write to or standard output by default.


Prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format.


Prints out certificates details in full rather than just subject and issuer names.


Don't output the encoded version of the PKCS#7 structure (or certificates is -print_certs is set).

-engine id

Specifying an engine (by its unique id string) will cause this command to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.


Convert a PKCS#7 file from PEM to DER:

 openssl pkcs7 -in file.pem -outform DER -out file.der

Output all certificates in a file:

 openssl pkcs7 -in file.pem -print_certs -out certs.pem


openssl(1), openssl-crl2pkcs7(1)

Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at