8

I want to ask a thing about digital signing I am not very sure. Instead of creating a self signed certificate to use to sign some (PDF) files, I wanted to take my SSL cert which have my data already verified.

But the question is: Can a SSL cert be used to digital sign files or is it incompatible in some manner?

EDIT: To clarify, this question is not about how to sign PDFs, is only about if a SSL cert can be used (or converted in any way) to sign files.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
StormByte
  • 1,266
  • 1
  • 13
  • 33

3 Answers3

5

To support digital signing certificate must have digitalSignature option in it's keyUsage field (and codeSigning option in it's extendedKeyUsage field if your want to sign programs with it).

Signing may be done with existing tools or manually (java example, you are not asking for it, but this code snippet might be useful anyway):

byte[] bytesToSign = loadMyData();
KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
ks.load(new FileInputStream("cert.p12"), "passwd1".toCharArray());
PrivateKey privateKey = (PrivateKey) ks.getKey("myalias", "passwd2".toCharArray());
Signature sig = Signature.getInstance("SHA1withRSA", ks.getProvider());
sig.initSign(privateKey);
sig.update(bytesToSign);
byte[] signature = sig.sign();

To make your own not self-signed certificate with openssl see this SO answer.

Also curious about signing PDF's - aren't separate hash sums of these files enough in your case?

edit: if you want any sign, not exactly X.509 sign by existing tools, you can extract RSA key from your cert and do signing without bothering about keyUsage field.

Community
  • 1
  • 1
alexkasko
  • 4,855
  • 1
  • 26
  • 31
  • I am talking about invoices as PDF, and they are required to be digitally signed in order to have them have legal validity. Then, a simply sum is not enough in this case. – StormByte Mar 15 '12 at 19:38
  • I already do know that I can make easily a self signed key for this purpose, but wanted to avoid any warning my clients will get if I do that. – StormByte Mar 15 '12 at 19:40
1

Yes, you can sign and verify the signature of files using SSL certificates

Here is an example:

SSLCERT='/XXXX/ssl/certs/fqdn.pem'
SSLKEY='/XXXX/ssl/private_keys/fqdn.pem'
# You might not need to specify a CA
CACERTFILE='/XXXX/ssl/certs/ca.pem'
# File to sign
FILE='YYYYYYY'

# Signs, needs ${SSLKEY} and ${FILE}
openssl dgst -sha512 -sign ${SSLKEY} -out ${FILE}.sha512 ${FILE}

# Then transfer the following files to another server:
#  - ${CACERTFILE}
#  - ${SSLCERT}
#  - ${FILE}
#  - ${FILE}.sha512

# Check the certificate is valid
openssl verify -verbose -CAfile ${CACERTFILE} ${SSLCERT}
# Extract the pub key from the cert
openssl x509 -in ${SSLCERT} -pubkey -noout > ${SSLCERT}.pub
# Check the signature
openssl dgst -sha512 -verify ${SSLCERT}.pub -signature ${FILE}.sha512 ${FILE}
Eric
  • 6,563
  • 5
  • 42
  • 66
Sebastien T
  • 11
  • 1
1

At the core, the certificate is just a normal RSA public key that's been signed by several authorities.

So yes, definitely possible.

Though I don't know of any easy-to-use widespread tools for the end-user for this.

Deestan
  • 16,738
  • 4
  • 32
  • 48
  • Thanks, that's what I wanted to know. Because if it can be handled by openssl to sign things, then it will work. – StormByte Mar 14 '12 at 01:37
  • 1
    See alx3apps answer for more information. You can do it, but unless you have the digitalSignature option in keyUsage, (or codeSigning to sign code), the signature might be rejected by other implementations. – mfanto Mar 15 '12 at 19:08