Based on this very enlightening question and answer, I’m interested in how to generate the signature of an x509 certificate manually, assuming I do have the private key.
Let’s create a self-signed certificate named
scrt with matching private key
skey as an exercise. I’d expect this to work:
#!/bin/bash # extract TBS certificate openssl asn1parse -in scrt -strparse 4 -noout -out tbs # create signature of TBS certificate cat tbs | openssl sha256 -sign skey -out sig # create hash of TBS certificate cat tbs | openssl sha256 -binary -out hash # check if the signature of the hash is valid openssl pkeyutl -verify -in hash -sigfile sig -inkey scrt -certin
However, it tells me: “Signature Verification Failure”
What am I doing wrong?