Skip to main content

OpenSSL の設定と署名

OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures.

ヒント

OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Follow these instructions to sign directly using OpenSSL and securely reference your private key stored in DigiCert​​®​​ KeyLocker via our PKCS11 library.

注意

Scan your systems for uses of OpenSSL 3.0 and above, and if you find any instances, upgrade to 3.0.7. See OpenSSL releases patch for high level vulnerability in versions 3.0 and above.

Types of OpenSSL signatures

OpenSSL supports three types of signatures:

  • DGST

  • SMIME

  • RSA UTL

Prerequisites

Sign with OpenSSL (DGST)

  • DGST signing creates a binary output file.

  • Use the PKCS11 URL for the private key to sign.

  • Use the PKCS11 URL for the x.509 certificate or public key to verify the signature.

OpenSSL 署名

以下を使用して、SMIME署名を作成します。

openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in <file to be signed> -out <signed output file> -outform smime -inkey “pkcs11:object=<keypair-alias>;type=private” -signer <public key file>                

例:

openssl smime -sign -engine pkcs11 -keyform engine -md sha256 -binary -in example.txt -out example.p7s -outform smime -inkey "pkcs11:object=keytool;type=private" -signer keytool.cer               

証明書をダウンロードする (SMIME)

Download SMIME certificate

SMCTLを使用して証明書をダウンロードするには、以下を使用します。

  1. To list the certificates, use:

    smctl certificate list
  2. To download the certificate, use:

    smctl certificate download

署名を検証する(SMIME)

以下を使用して、ファイルが署名されていることを確認します。

openssl smime -verify -in example.p7s -signer keytool.cer -out example.txt -noverify

注記

noverify オプションを使うと、提供されている証明書ファイルのチェーン検証をスキップします。

Sign with OpenSSL (RSA UTL)

  • RSA UTL needs the input file to be pre-digested before requesting a signature.

  • OpenSSL rsautl uses the PKCS11 URL for the x.509 certificate or public key.

注記

On Windows, you also need the Vim editor to use the xxd.

To sign using RSA UTL:

  1. Create a digest of the original file that you want to sign, using:

    openssl dgst –sha256 -binary <input_file> | xxd -p -c 256 > <output_file>

    Sample command:

    openssl dgst -sha256 -binary example.txt | xxd -p -c 256 > example.digest.sha256

    注記

    This command generates a result in hex format.

  2. Sign the digest created, using:

    openssl rsautl -engine pkcs11 -sign -pkcs -in <digest_file> -inkey "pkcs11:object=<keypair-alias>;type=private" -keyform engine -out <signed_digest_file>

    Sample command:

    openssl rsautl -engine pkcs11 -sign -pkcs -in readme.digest.sha256 -inkey "pkcs11:object=keytool;type=private" -keyform engine -out readme.sig.sha256 

    注記

    This command generates a result of the signed digest in binary format.

To verify a signature using RSA UTL:

  1. Verify the signed digest, using:

    openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=<keypair-alias>;type=public" -in <signed_digest_file> –out <output_decrypted_file>  

    Command sample:

    openssl rsautl -engine pkcs11 -keyform engine -verify -inkey "pkcs11:object=keytool;type=public" -in readme.sig.sha256 –out output_decrypted_digest_file.sha256 
  2. Validate the signature by comparing the unsigned digest created with the original file that was created by the verify command, using:

証明書の一覧表示に P11TooLをオプションで使用

OpenSSLがサポートする形式を提供するために、p11tooLを使用してオブジェクトを一覧表示します。このオプションを使って、秘密鍵とそれに対応する証明書のPKCS11URLを取得することができます。(オブジェクト2; タイプ:秘密鍵とオブジェクト0; タイプ:以下に X.509 証明書)。

To allow DigiCert​​®​​ KeyLocker to retrieve the PKCS11 URL for the private key and its corresponding certificate, use:

p11tool --provider=<absolute path to smpkcs11.so> --list-all 

OPENSSL_CONF=C:\Users\taylo\Downloads\Keylockertools-windows-x64\dc-openssl.conf p11tool --provider=/home/myles/Keylockertools-linux-x64/bin/smpkcs11.so --list-all 

注記

Object 2; Type: Private key and object 0; Type: X.509 Certificate.