Parameters to create a self-signed DSA certificate on Ubuntu 12.04


I would like to create a self-signed DSA certificate on Ubuntu 12.04 for use with a webserver and TLS 1.2 (HTTPS) connection.

I found that you can run the following command to create an RSA one:

openssl genrsa -out server.key 3072

However I need the following properties:

  • 3072 bit key length using the regular DSA algorithm (not ECDSA)
  • Using SHA2 cryptographic hash function with 384 bits
  • Using "perfect forward secrecy" option
  • Assign AES 256 as the first order of preference for the symmetric cipher
  • No encryption for the private key required (to allow for unattended reboots).

Can someone help me with the parameters to do the following options above?

When a TLS session is initiated, how do you make sure it generates a new random signature value k each time? This is apparently critical to the security of the algorithm. Or is that automatic with OpenSSL?

I have found this TLS 1.2 cipher suite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 here how do I tell it to use that?

Thanks in advance.

Best Answer

Whatever you're doing, there's a pretty good chance you're doing it wrong based on the way you framed this question. If you found a blog post somewhere telling you that you needed to do this-or-that, don't just follow it without really knowing what it says. The reason why I say this is because most of the features you've asked for have nothing to do with creating a self-signed DSA certificate.

Instead, post a question asking about what you're actually trying to accomplish. It may be that the solution is not what you think it is.

But since you asked, here's how you generate a self-signed DSA certificate of 3072 bits:

openssl dsaparam -out params.pem 3072
openssl gendsa -out key.pem params.pem
openssl req -new -key key.pem -out req.pem
openssl x509 -req -in req.pem -signkey key.pem -out certificate.cer
Related Question