Self-signed RSA cert generation and signing using OpenSSL

Ivan Molina Rebolledo
- 1 min read

(The following notes were made as a self-guide for a U. class (Network Security))

First step: Obtaining our PEM keys. This can be done as my previous post, where the generated keys are already in PEM format.

A PEM encoded key looks like this:



The content between those two markers should be a base64 encoded key.

So this step is easy.

If you don't have a PEM key, use the OpenSSL rsa to convert an already exisitng non-PEM key:

openssl rsa -in oldkey -outform pem -out newkey.pem

Generating a certificate

This can be done in one step:

openssl req -x509 -new -key PrivKey.pem -out Cert.pem -sha256

We are using req to generate certificates in the PKCS#10 format. The -x509 parameter is specifying that we want a self-signed certificate. -new generates the certificate. The other three parameters are self-explanatory; we are using sha256 as our hash algorithm.

Signing a file

For this we are going to use pkeyutl:

openssl pkeyutl -sign -in File -inkey Priv.pem -out SignedFile

Verifying a file

openssl pkeyutl -verify -in File -sigfile SignedFile -certin -inkey Cert.pem

In this case we use -verify to verify a File given a signature. -sigfile is the signature generated in the previous step. -certin specifies that we are using a certificate to verify out signature and file.

And that's all.

Need more help? Fear no more:

man openssl

(Just a quick note about the manpages: in macOS, all the subcommand are included with the openssl manpage, but that's not the case for other unixes. In Ubuntu, you have to request the manpage for a specific subcommand like this: man enc, for openssl enc.)