Manually walking through the signature generation of a certificate

Based on this very enlightening question and answer, I’m interested in how to generate the signature of an x509 certificate manually, assuming I do have the private key.

Let’s create a self-signed certificate named scrt with matching private key skey as an exercise. I’d expect this to work:

#!/bin/bash  # extract TBS certificate openssl asn1parse -in scrt -strparse 4 -noout -out tbs # create signature of TBS certificate cat tbs | openssl sha256 -sign skey -out sig # create hash of TBS certificate cat tbs | openssl sha256 -binary -out hash # check if the signature of the hash is valid openssl pkeyutl -verify -in hash -sigfile sig -inkey scrt -certin 

However, it tells me: “Signature Verification Failure”

What am I doing wrong?