I would like to create a self-signed DSA certificate on Ubuntu 12.04 for use with a webserver and TLS 1.2 (HTTPS) connection.
I found that you can run the following command to create an RSA one:
openssl genrsa -out server.key 3072
However I need the following properties:
- 3072 bit key length using the regular DSA algorithm (not ECDSA)
- Using SHA2 cryptographic hash function with 384 bits
- Using "perfect forward secrecy" option
- Assign AES 256 as the first order of preference for the symmetric cipher
- No encryption for the private key required (to allow for unattended reboots).
Can someone help me with the parameters to do the following options above?
When a TLS session is initiated, how do you make sure it generates a new random signature value k each time? This is apparently critical to the security of the algorithm. Or is that automatic with OpenSSL?
I have found this TLS 1.2 cipher suite
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 here how do I tell it to use that?
Thanks in advance.