The company I work for wants me to implement some C functions to automatically sign their software. After doing some research I've found that openSSL is great for doing so.
Before starting the implementation in C, I wanted to get a feeling of the workflow by executing it in the CLI first. But that left me a bit confused, because I'm not sure where certificats should be used here.
These are the steps that I've taken:
- Generate a private key
$ openssl genrsa -out privat.pem 2048
- Extract public key from private key
$ openssl rsa -in privat.pem -outform PEM -pubout -out public.pem
- Sign the example file with the private key
$ openssl dgst -sha256 -sign privat.pem -out sign.sha256 file.txt
- Verify the signature with the public key
$ openssl dgst -sha256 -verify public.pem -signature sign.sha256 file.txt
Verified OK
Where would I now use a certificate to proof that the software is from the company?
Also the software is shipping as an application container for debian, where we create our own application header with meta data like checksum for example. I would have to include the signature also in this header, would it be a good idea to store the output of sign.sha256 there? Maybe in Base64?
