What is the purpose of the OpenSSL "rsautl -verify" command? Can I use it to verify a signed document?

Yes, you can use OpenSSL "rsautl -verify" command to verify a signed document. But you need other OpenSSL commands to generate a digest from the document first.

For example, you received 3 files as part of a "signed" document: notepad.exe, sha1_signed.dgt, and my_rsa_pub.key, you can the following OpenSSL commands to verify the signature:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> dgst -sha1 -binary -out sha1.dgt \windows\system32\notepad.exe

OpenSSL> rsautl -verify -pubin -inkey my_rsa_pub.key -in sha1_signed.dgt 
   -out sha1_decrypted.dgt

OpenSSL> exit

C:\Users\fyicenter>comp sha1.dgt sha1_decrypted.dgt
Comparing sha1.dgt and sha1_decrypted.dgt...
Files compare OK

Commands used in this test are:

• "dgst -sha1 -binary -out sha1.dgt \windows\system32\notepad.exe" - OpenSSL command to generate a new digest string from the document, notepad.exe, with the SHA-1 algorithm using the "dgst -sha1" command.
• "rsautl -verify -pubin -inkey my_rsa_pub.key -in sha1_signed.dgt -out sha1_decrypted.dgt" - OpenSSL command to decrypt the digital signature of the document. The output, sha1_decrypted.dgt, is the old digest generated by the sender from the document.
• "comp sha1.dgt sha1_decrypted.dgt" - Windows command to compare the new digest with the old digest.

Since the two digests are identical, the digital signature is valid.

⇒OpenSSL "rsautl" Command for RSA Keys

⇒⇒OpenSSL Tutorials