4.5. Signing Files with Certificates

Certificate System can sign files on a file system or available over through a URL; this generates a file hash and protects the file using a certificate.
The Agent-Authenticated File Signing profile is used to sign certificates. The only required input is the file location, URL Of File Being Signed. This value can be a real URL, such as http://server.example.com/data/myFile.txt, or it can be the full path to a file on the local system, such as file:///home/jsmith/files/myFile.txt.
File-Signing Profile

Figure 4.1. File-Signing Profile

When the file is signed, a corresponding certificate is created with a subject DN that reflects the file information:
Subject:CN=(Name)(Text)(Size)(DigestType)(Digest)
  • (Name) is the optional requestor name.
  • (Text) is the (optional) information given in the Text Being Signed field. The subject DN does not contain the filename or location. That information can either be stored independently or the Text Being Signed input can be used to enter descriptive information, such as the filename or a description of the file content, which can be used to identify the signed file.
  • (Size) is the size of the signed file.
  • (DigestType) is the algorithm used to generate the file hash.
  • (Digest) is the generated hash or digest for the file.
For example:
Subject:CN=(Name)John Smith(Text)Signed text: myFile.txt(Size)5833(DigestType)SHA256(Digest)79aaf14442ab811ace123d9d6917c055636475fbd2b7d921e730fd25d9d3f760
The file digest can be verified by running the sha256sum command.
sha256sum /home/jsmith/files/myFile.txt
79aaf14442ab811ace123d9d6917c055636475fbd2b7d921e730fd25d9d3f760 myFile.txt
The file digest and all other information included in the subject name are protected by the certificate signature.