Author Topic: Sign PKCS#7 and verify PKCS#7 signature with OpenSSL  (Read 643 times)


  • Newbie
  • Posts: 4
Sign PKCS#7 and verify PKCS#7 signature with OpenSSL
« on: June 14, 2021, 09:01:12 am »
If someone have to transfer X.509 certificates in a single bundle, usually, it is recommended to pack them into PKCS#7. And content of PKCS#7 can be signed.

OpenSSL allows to pack certificates into PKCS#7 in the following way:

openssl crl2pkcs7 -nocrl -certfile domain.crt -certfile ca-chain.crt -out domain.p7b

As I understand from the man page of 'openssl crl2pkcs7', this PKCS#7 is signed:

The output file is a PKCS#7 signed data structure containing no signers and just certificates and an optional CRL.

A few questions here:

What does 'containing no signers' mean?
If the content (certificates) of PKCS#7 is not really signed, how can it be done using OpenSSL?
How signature of PKCS#7 can be verified using OpenSSL considering that it was signed?
If I understand overall concept wrongly, please, clarify that.


TinyPortal © 2005-2018