Introduction
This document describes how to check the signature of a file signed with an X.509 certificate from the command line using OpenSSL.
The examples use EC private keys only.
Extracting the Public Key from the X.509 Certificate
To check a signature with OpenSSL use the public key related to the private key the given file was signed with. Extract the public key to the pubkey.pem
file from the given certificate.pem
X.509 certificate file.
openssl x509 -in certificate.pem -noout -pubkey > pubkey.pem
Signing a File with a Private Key
In this step the test.txt
file is signed with the privkey.pem
private key file. The binary signature is stored to the test.txt.sig
file.
openssl dgst -sign privkey.pem -keyform pem -sha256 -out test.txt.sig -binary test.txt
Checking the Signature by use of the Public Key
In this step the pubkey.pem
public key file is used to check if the test.txt.sig
signature file matches the test.txt
file.
openssl dgst -verify pubkey.pem -keyform pem -sha256 -signature test.txt.sig -binary test.txt
Possible results are
Verified OK
- The public key and signature for the signed file match.
Verification Failure
- The public key and signature for the signed file do not match.