What is the purpose of the OpenSSL "rsautl -sign" command? Can I use it to sign a document?

Yes, you can use OpenSSL "rsautl -sign" command to sign a document. But you need other OpenSSL commands to generate a digest from the document first as shown in the following test:

C:\Users\fyicenter>dir \windows\system32\notepad.exe
07/09/2015  01:42 PM           179,712 notepad.exe

C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> dgst -sha1 -binary -out sha1.dgt \windows\system32\notepad.exe

OpenSSL> rsautl -sign -inkey my_rsa.key -in sha1.dgt -out sha1_signed.dgt

OpenSSL> pkey -in my_rsa.key -pubout -out my_rsa_pub.key

OpenSSL commands used in this test are:

• "dgst -sha1 -binary -out sha1.dgt \windows\system32\notepad.exe" - Generate a digest string from the document, notepad.exe, with the SHA-1 algorithm using the "dgst -sha1" command.
• "rsautl -sign -inkey my_rsa.key -in sha1.dgt -out sha1_signed.dgt" - Sign the digest, sha1.dgt, with the RSA private key using the "rsautl sign" command. The output, sha1_signed.dgt, is also called the digital signature of the document.
• "pkey -in my_rsa.key -pubout -out my_rsa_pub.key" - Extract the RSA public key from the RSA private key with "pkey -pubout" command

You can now send out notepad.exe, sha1_signed.dgt, and my_rsa_pub.key, as a "signed" document.

⇒OpenSSL "rsautl" Command for RSA Keys

⇒⇒OpenSSL Tutorials