How to generate a proof of possesion for a X509 certificate using OpenSSL?

Question

I need to generate a proof of possession, signing a verification code with my private key.

I did not find a question related to this, here in Stack Overflow, and I am not finding some reference on Internet. I am following this tutorial, but I want to use OpenSSL.

My verification code is related to a X509 certificate, like this:

7A69A4702DA903A41C3A5BC5575A8E3F49BEC5E5BA2D4CE1

Answer 1

I got the answer with the Azure support team.

I already had my root key and X509 cert, generated with the following command:

openssl req -x509 -newkey rsa:2048 -keyout root_private.pem -nodes -out root_cert.pem

Then, I needed to generate the verification cert...

• Create verification key:

  openssl genrsa -out verification.key 2048
  

• Create the verification cert:

  openssl req -new -key verification.key -out verification.csr
  

When creating the verification cert, I need to specify the verification code obtained (7A69A4702DA903A41C3A5BC5575A8E3F49BEC5E5BA2D4CE1) as the "Common Name" certificate field.

Now, just create the proof of possession certificate with the following command:

openssl x509 -req -in verification.csr -CA root_cert.pem -CAkey root_private.pem -CAcreateserial -out verificationCert.pem -days 1024 -sha256

If I am not wrong, this last command signs the verification.csr, that has the verification code as the Common Name, with the root private key. At the end, the verificationCert.pem can be used as the proof of possession.