Can an SSL certificate be used to digitally sign files?

Question

Can an SSL certificate be used to digitally sign files?

I want to ask about a digital subscription, I'm not very sure. Instead of creating a self-signed certificate for signing some (PDF) files, I would like to get an SSL certificate that has already verified my data.

But the question is: can an SSL certificate be used for digital sign files or is it incompatible in some way?

EDIT: To clarify, this question is not about how to sign PDF files, but only about whether an SSL certificate can be used (or converted in any way) to sign files.

+5

certificate digital-certificate signing

Stormbyte Mar 13 '12 at 20:24

source share

3 answers

, - RSA, .

, , .

- .

+1

Deestan 13 . '12 23:56

Yes, you can sign and verify the signature of files using SSL certificates

Here is an example:

SSLCERT='/XXXX/ssl/certs/fqdn.pem'
SSLKEY='/XXXX/ssl/private_keys/fqdn.pem'
# You might not need to specify a CA
CACERTFILE='/XXXX/ssl/certs/ca.pem'
# File to sign
FILE='YYYYYYY'

# Signs, needs ${SSLKEY} and ${FILE}
openssl dgst -sha512 -sign ${SSLKEY} -out ${FILE}.sha512 ${FILE}

# Then transfer the following files to another server:
#  - ${CACERTFILE}
#  - ${SSLCERT}
#  - ${FILE}
#  - ${FILE}.sha512

# Check the certificate is valid
openssl verify -verbose -CAfile ${CACERTFILE} ${SSLCERT}
# Extract the pub key from the cert
openssl x509 -in ${SSLCERT} -pubkey -noout > ${SSLCERT}.pub
# Check the signature
openssl dgst -sha512 -verify ${SSLCERT}.pub -signature ${FILE}.sha512 ${FILE}

+1

Sebastien t Jun 16 '16 at 10:16

source share

alexkasko · Accepted Answer · 2012-03-15T19:03:22+0000

To support a digital signature certificate, there must be a digitalSignatureparameter keyUsage(s codeSigning) in it extendedKeyUsageif you want to sign programs with it).

Signing can be performed using existing tools or manually (java example, you do not request it, but this piece of code can be useful in any case):

byte[] bytesToSign = loadMyData();
KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
ks.load(new FileInputStream("cert.p12"), "passwd1".toCharArray());
PrivateKey privateKey = (PrivateKey) ks.getKey("myalias", "passwd2".toCharArray());
Signature sig = Signature.getInstance("SHA1withRSA", ks.getProvider());
sig.initSign(privateKey);
sig.update(bytesToSign);
byte[] signature = sig.sign();

To make your own self-signed certificate with openssl see this SO answer .

It’s also interesting to know about signing a PDF - aren’t the individual hash amounts of these files enough in your case?

edit: if you want a character, not just an X.509 character using existing tools, you can extract the RSA key from your certificate and sign up without worrying about the field keyUsage.

Can an SSL certificate be used to digitally sign files?

More articles: