Sign XML files with detached signature using OpenSSL

Integrate the DigiCert® Software Trust Manager PKCS11 library with OpenSSL to sign XML files.

Prerequisites

DigiCert ONE API key
DigiCert ONE client authentication certificate
Software Trust Manager keypair
OpenSSL with DigiCert® Software Trust Manager PKCS11 library
Configure your credentials
Public key
XML file that needs signing

Install and configure Software Trust Manager PKCS11 with OpenSSL

Follow these instructions to install OpenSSL and configure it with Software Trust Manager PKCS11 library.

Sign with OpenSSL dgst

Copy the file to the desired location to permit signing.

To sign an XML file, use

openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=<keypair alias>;type=private" -sha256 -out <Detached signature output file> -sha256 <Unsigned XML File>

Output sample

root@dcd6f73b44b0:~/xmlsign# openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=sid-xmlsign-keypair;type=private" -sha256 -out xml-detached.sig -sha256 unsigned.xml engine "pkcs11" set.

Verify XML signature

The public key is required to verify the signature.

You can retrieve the public key using the Software Trust Manager UI, CLI, or OpenSSL.

To retrieve the public key via OpenSSL, use:

openssl x509 -pubkey -noout -in <keypair alias>.pem > pubkey.pem

To verify the XML signature, use:

openssl  dgst -verify pubkey.pem -signature <Detached signature output file> <Unsigned XML file>

Output sample:

root@dcd6f73b44b0:~/xmlsign# openssl  dgst -verify pubkey.pem -signature xml-detached.sig unsigned.xml  
Verified OK

En esta sección:

Sign XML files with detached signature using OpenSSL

Prerequisites

Install and configure Software Trust Manager PKCS11 with OpenSSL

Sign with OpenSSL dgst

Verify XML signature

Related articles

Resultados de la búsqueda