What is the difference between "rsautl -encrypt" and "rsautl -sign" commands?

There are 2 differences between "rsautl -encrypt" and "rsautl -sign" commands:

1. "rsautl -encrypt" and "rsautl -sign" commands take different RSA keys:

• "rsautl -encrypt" only accepts an RSA public key and performs RSA encryption using the given key.
• "rsautl -sign" only accepts an RSA public key and performs RSA encryption using the given key.

2. "rsautl -encrypt" and "rsautl -sign" commands use different flavors of PKCS#1 v1.5 padding:

• "rsautl -encrypt" uses 0x02 as the BT (Block Type) and random bytes as padding string.
• "rsautl -sign" uses 0x01 as the BT (Block Type) and 0xff bytes as padding string.

So if we are using no padding, the only difference between "rsautl -encrypt" and "rsautl -sign" commands is what type of RSA keys they taking. In other words, "rsautl -encrypt -raw" and "rsautl -sign -raw" are identical commands except that the first takes RSA public keys and the second takes RSA private keys.

⇒ OpenSSL "rsautl -encrypt" vs. "rsautl -verify"

⇐ OpenSSL "rsautl -verify" - RSA Signature Verification

⇑ OpenSSL "rsautl" Command for RSA Keys

⇑⇑ OpenSSL Tutorials