OpenSSL "rsautl -verify" - RSA Signature Verification


What is the purpose of the OpenSSL "rsautl -verify" command? Can I use it to verify a signed document?



Yes, you can use OpenSSL "rsautl -verify" command to verify a signed document. But you need other OpenSSL commands to generate a digest from the document first.

For example, you received 3 files as part of a "signed" document: notepad.exe, sha1_signed.dgt, and my_rsa_pub.key, you can the following OpenSSL commands to verify the signature:


OpenSSL> dgst -sha1 -binary -out sha1.dgt \windows\system32\notepad.exe

OpenSSL> rsautl -verify -pubin -inkey my_rsa_pub.key -in sha1_signed.dgt 
   -out sha1_decrypted.dgt

OpenSSL> exit

C:\Users\fyicenter>comp sha1.dgt sha1_decrypted.dgt
Comparing sha1.dgt and sha1_decrypted.dgt...
Files compare OK

Commands used in this test are:

  • "dgst -sha1 -binary -out sha1.dgt \windows\system32\notepad.exe" - OpenSSL command to generate a new digest string from the document, notepad.exe, with the SHA-1 algorithm using the "dgst -sha1" command.
  • "rsautl -verify -pubin -inkey my_rsa_pub.key -in sha1_signed.dgt -out sha1_decrypted.dgt" - OpenSSL command to decrypt the digital signature of the document. The output, sha1_decrypted.dgt, is the old digest generated by the sender from the document.
  • "comp sha1.dgt sha1_decrypted.dgt" - Windows command to compare the new digest with the old digest.

Since the two digests are identical, the digital signature is valid.


OpenSSL "rsautl" Command for RSA Keys

⇒⇒OpenSSL Tutorials

2017-03-25, 716👍, 0💬