Sign file with .der-Certificate and create signature (pkcs#7)

Question

The thing I would like to do is:

• Sign a zip-file with openssl using a certificate and create a signature-file (pkcs#7)

What I have/I did so far:

1. I installed openssl and opened the console
2. I created a rsa key (openssl genrsa -out key.pem 2048)
3. I created a request (openssl req -batch -sha256 -new -key key.pem -out request.pem –subj '/C=../ST=../L=../O=../OU=../CN=..')
4. I sent this request to someone who did any magic with the request and sent me an file named 'certificate.der'. When I open this file there are some information like oscp-url and things like this.

So far, so good. Next my naive approach is to sign the zip-file with this certificate and tell openssl to create the pkcs#7-signature so I can verify it using the ocsp-responder. But I have really not the foggiest notion whether the approach is correct and how to sign the zip-file. :-( If I have errors in reasoning please also let me know. :-)

Can someone please help me?

Answer 1

You can use openssl to do that. Use the command

openssl.exe smime -sign -binary -in file.zip -signer certificate.der -inkey key.pem -outform DER -out file.p7b

You can verify the signature using openssl with this command

openssl.exe smime -verify -binary -inform DER -in file.p7b -content file.zip -noverify > nul

For more information read openssl manual here