picture of tbs certificates
picture of tbs certificates
Our products range

Prove control over a private key using Openssl

You can cryptographically prove that you possess a private key, without disclosing it, using Openssl and a base64 encoder/decoder.


These terms will be consistently used to limit any risk of ambiguity.
  • Requester: the person asking for proof
  • Demonstrator: the person proving they possess the private key


Step 1: The requested generates a random message

It is very important that it is the requester that generates the message, not the demonstrator, to limit "cheating" risks, for instance by proof repetition.

It is also important that the message have a sufficient size, in this example: 512 bytes.

openssl rand -base64 512 > messagetbs

Step 2: the demonstrator signs

The demonstrator uses the messagetbs message and its private key proofCert.pkey to generate the signature messagetbs.sig.

base64 -d messagetbs | openssl dgst -sha256 -sign proofCert.pkey | base64 > messagetbs.sig 

Step 3: the requester checks the signature

base64 -d messagetbs.sig > messagetbs.sig.bin

openssl x509 -in proofCert.cer -pubkey -noout > proofCert.pubkey

base64 -d messagetbs | openssl dgst -sha256 -verify proofCert.pubkey -signature messagetbs.sig.bin

Openssl will then indicate if the signature was valid.

Verified OK