On Wed, 22 Jul 2015 09:17:43 +0000 (UTC) Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote: > Hello, > I have used rsault -sign option to sign a text file which gives me a > binary file. I would like to convert this to X509 so that I can use > it in a ssl handshake. I understand the command: openssl x509 -inform > <format> -in <certfile> -out <cert.pem> is used. I want to know what > the parameters would be for a binary input file. Thanks in advance.? Unfortunately signed text file and certificate are quite different things. Of course, certificate is signed electronic document. But it is document of special binary format, which contains public key and information about owner of corresponding private key. And typically, it is not signed by you, it is signed by Certificate Authority (known to server). When you use certificate (and corresponding private key) during SSL handshake, it means than server sends you something, you sign this something using your private key and send signature to server along with certificate. Server verifies signature under data, which it remembers it have been sent to you, using public key contained in the certificate, and says "Ok, this guy really owns private key corresponding to public key in this certificate". It also verifies signature under certificate using known beforehand and trusted CA certificates, to make sure that public key stored in the certificate really belongs to person mentioned in the certificate subject field. So, if you sign some text file using your certificate, this signature cannot be used in the SSL handshake any way. Because you've signed some text file, not a challenge send by server during SSL handshake. This signature proves that you, owner of private key, have had access to this text file (provided your private key is not compromised), but there is no way to use this signature to prove that your are one, who established connection with server. To prove so, you have to sign something send to your from server, not some data, known beforehand. Really, option -sign of this utility may produce some signed document format such as PKCS#7 or CMS, which contains signer's certificate. For same purpose which I've described above. If someone wants to verify if you've signed this file, one should have your certificate, with public key and your name in it. Simplest way to ensure this is to attach certificate to the signed message. Then recipient of message can validate certificate, extracted from message with known and trusted CA and then use it to verify signature under message. If you want use such a curved way to extract certificate from card, it is possbile, provided that your rsautl produces standard signed message format, i.e PKCS#7 may be openssl pkcs7 -inform der -in signedfile.bin -print_certs would do the trick and write certificate of one who signed the file into filename.pem But this is not called "convert signed file to X509 format", it is called "extract X509 certificate from signed file".
