How to sign something with a certificate
Signing
What you have got (in PEM format):
- Your private key: code.key
- Your signed signing request: code.crt
- Your CA's intermediate cert: ca.crt
- file.data which shall be signed with your certificate
Now do:
cat code.crt ca.crt > public.pem
To sign:
openssl dgst -sha256 -sign code.key -out file.data.sha256 file.data
Now publish:
- file.data
- file.data.sha256
- public.pem
Not working
- You cannot use the -hex option
Verifying
To verify:
User retrieves:
- public.pem
- file.data
- file.data.sha256
Verification of the certificate
openssl verify -CAfile public.pem public.pem
If this prints "OK" the public.pem is OK
Extracting the public key from the public certificate
openssl x509 -in public.pem -pubkey -noout > pubkey.pem
Verification of the signature
openssl dgst -sha256 -verify pubkey.pem -signature file.data.sha256 file.data
That's it. The difficulty is to explain this to others, as this is too difficult to remember.
-Tino, 2010-07-27
