OpenSSL and MS CryptoAPI: different digital signatures

Question

I generated X509 certificate with private key using makecert utility

makecert -n \"CN=RootCATest\" -r -sv RootCATest.pvk RootCATest.cer 
makecert -sk MyKeyNa         


        

Answer 1

How can I obtain the same signature?

Most digital signature algorithms - including RSA, which I suppose you have used here, are non-deterministic. Try signing the same file twice with the same program, and you will get different outputs.

This means, running the same algorithm twice with the same input will give you different signatures. This is not a problem, as long as the verification algorithm still manages to accept all signatures generated by the signing algorithm (with the fitting key).

This non-determinism is often actually necessary for the security of the signature scheme.

To see if your two signature algorithms are actually compatible, try to verify the OpenSSL signature with the MS Crypto API, and to verify the MS Crypto signature with OpenSSL. (Then modify the file by one byte and check that they don't verify anymore.)