Introduction

This document describes how to check a X.509 Certificate for signing from the command line with openssl. It also shows how  to check a signature of a signed file with openssl.

The examples uses EC Keys only.

Extracting the Public Key from the X.509 Certificate

To check a signature with openssl we have to use the public key related to the private key the file was signed with. Therefore we have to extract the public key from the given X.509 certificate for further usage.

openssl x509 -in /path/to/certificate.pem -noout -pubkey > /tmp/pubkey.pem

Signing a file with a Private Key

In this example a file test.txt is signed with a private key and the (binary) signature will be stored to a file signature.sig.

openssl dgst -sign private_key.pem -keyform PEM -sha256 -out signature.sig -binary test.txt

Check the signature with a public key

openssl dgst -verify user_pubkey.pem -keyform PEM -sha256 -signature signature.sig -binary test.txt

Possible results are 

• Verified OK
  • the signature for the signed file matches
• Verification Failure
  • the signature does not match