Is there a way to digitally sign a x509 certificate or any document using openssl?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there a way to digitally sign a x509 certificate or any document using openssl?
Yes, the dgst and rsautl component of OpenSSL can be used to compute a signature given an RSA key pair.
Signing:
Verifying just the signature:
Update: Capturing Reto’s comments from below because this is an important nuance. Presumably if you are going to the trouble to verify, you want to know the signature was produced on the plaintext to which it is attached:
This might sound obvious for some but: Be aware,
rsautl verifyjust decrypts the filesignature. The output of this call is guaranteed to be produced by the owner of the private key, but beside that nothing else is being checked. So to actually verify the consistency ofdata.txtyou have to regenerate the digest and then compare it against the output ofopenssl rsautl -verify.Verifying that the owner of the private key does vouch for
data.txt:For this operation, openssl requires the public key, the signature, and the message.