Forum Discussion
You left out a step. The public key is authenticated with the CA. Otherwise, all that has been verified is that the sender can generate a key pair, which anyone can do with keygen.
I left that part out because it wasn't relevant to the question. The CA element is a function of the PKI model. From a purely cryptographic perspective, digital signatures provide authenticity and data integrity services. Trust is a separate, but important, piece of the puzzle. Plus, since it is the receiver that must do the work of validating both the trust of the sender's certificate and validity of its digitally signed message, the CA component has little bearing on what the BIG-IP can or cannot do in terms of message signing.
And, one assumption is incorrect. As the cert is issued by the CA for the F5 VS, the F5 VS has both public and private keys as the subject of the cert.
Not totally sure what you're saying here, but I'd probably disagree slightly. A certificate is an issued assertion of the identity of a subject, for which the public key is generally embedded. The private key is just a blob of data that cryptographically and mathematically "pairs" with the public key. The F5 VS has both public and private keys assigned in the client SSL profile, but the "subject of the cert" relates more to the certificate than anything else.
And the cert keys (person or non person certs) are used for signing & verification and other purposes.
I would agree.
Finally, I would like to retract one specific comment. The CRYPTO::sign command does provide a cryptographic signing function for data integrity, but it does not provide "digital signature" - a semantic that generally applies to PKI.