I would like to create a self-signed DSA certificate on Ubuntu 12.04 for use with a webserver and TLS 1.2 (HTTPS) connection.
I found that you can run the following command to create an RSA one:
openssl genrsa -out server.key 3072
However I need the following properties:
- 3072 bit key length using the regular DSA algorithm (not ECDSA)
- Using SHA2 cryptographic hash function with 384 bits
- Using "perfect forward secrecy" option
- Assign AES 256 as the first order of preference for the symmetric cipher
- No encryption for the private key required (to allow for unattended reboots).
Can someone help me with the parameters to do the following options above?
When a TLS session is initiated, how do you make sure it generates a new random signature value k each time? This is apparently critical to the security of the algorithm. Or is that automatic with OpenSSL?
I have found this TLS 1.2 cipher suite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 here how do I tell it to use that?
Thanks in advance.
Best Answer
Whatever you're doing, there's a pretty good chance you're doing it wrong based on the way you framed this question. If you found a blog post somewhere telling you that you needed to do this-or-that, don't just follow it without really knowing what it says. The reason why I say this is because most of the features you've asked for have nothing to do with creating a self-signed DSA certificate.
Instead, post a question asking about what you're actually trying to accomplish. It may be that the solution is not what you think it is.
But since you asked, here's how you generate a self-signed DSA certificate of 3072 bits: