Introduction
This document describes how to check a X.509 Certificate for signing from the command line with openssl. It also shows how to check a signature of a signed file with openssl.
The examples uses EC Keys only.
Extracting the Public Key from the X.509 Certificate
To check a signature with openssl we have to use the public key related to the private key the file was signed with. Therefore we have to extract the public key from the given X.509 certificate for further usage.
openssl x509 -in /path/to/certificate.pem -noout -pubkey > /tmp/pubkey.pem
Signing a file with a Private Key
In this example a file test.txt
is signed with a private key and the (binary) signature will be stored to a file signature.sig
.
openssl dgst -sign private_key.pem -keyform PEM -sha256 -out signature.sig -binary test.txt
Check the signature with a public key
openssl dgst -verify user_pubkey.pem -keyform PEM -sha256 -signature signature.sig -binary test.txt
Possible results are
Verified OK
- the signature for the signed file matches
Verification Failure
- the signature does not match
Overview
Content Tools