OpenSSL generate different types of self signed certificate

  • Does anyone know how to use OpenSSL to generate certificates for the following public key types:

    1. DSA - For DHE_DSS key exchange.
    2. Diffie-Hellman - For DH_DSS and DH_RSA key exchange.
    3. ECDH - For ECDH_ECDSA and ECDH_RSA key exchange.
    4. ECDSA - For ECDHE_ECDSA key exchange.

    Most that I can find online teaches you how to generate a RSA type certificate though.

  • Tom Leek

    Tom Leek Correct answer

    8 years ago


    For a DSA key pair, use this:

    openssl dsaparam -out dsakey.pem -genkey 1024

    where "1024" is the size in bits. The first DSA standard mandated that the size had to be a multiple of 64, in the 512..1024 range. Then another version deprecated sizes below 1024, so a valid DSA key size had length 1024 bits and nothing else. Current version specifies that a valid DSA key has length 1024, 2048 or 3072 bits. OpenSSL accepts other lengths. If you want to maximize interoperability, use 1024 bits.

    For an ECDSA key pair, use this:

    openssl ecparam -genkey -out eckey.pem -name prime256v1

    To see what curve names are supported by OpenSSL, use: openssl ecparam -list_curves

    (For optimal interoperability, stick to NIST curve P-256, that OpenSSL knows under the name "prime256v1".)

    Once you have a DSA or ECDSA key pair, you can generate a self-signed certificate containing the public key, and signed with the private key:

    openssl req -x509 -new -key dsakey.pem -out cert.pem

    (Replace "dsakey.pem" with "eckey.pem" to use the EC key generated above.)


    For Diffie-Hellman (with or without elliptic curves), things are more complex, because DH is not a signature algorithm:

    • You will not be able to produce a self-signed certificate with a DH key.
    • You cannot either make a PKCS#10 request for a certificate with a DH key, because a PKCS#10 request is supposed to be self-signed (this self-signature is used as a proof of possession).

    While OpenSSL, the library, has the support needed for issuing a certificate which contains a DH public key; this page may contain pointers. The challenge is to convince OpenSSL, the command-line tool, to do it. In the jungle of the OpenSSL documentation, I have not found a complete way to do it. Key pairs are easy enough to generate, though.

    To generate a DH key pair, with the OpenSSL command-line tool, you have to do it in two steps:

    openssl dhparam -out dhparam.pem 1024
    openssl genpkey -paramfile dhparam.pem -out dhkey.pem

    For an ECDH key pair, use this:

    openssl ecparam -out ecparam.pem -name prime256v1
    openssl genpkey -paramfile ecparam.pem -out ecdhkey.pem

    However, it so happens that the format for certificates containing ECDH public keys is completely identical to the format for certificates containing ECDSA public keys; indeed, the format contains "an EC public key" without indication of the intended algorithm (ECDH or ECDSA). Therefore, any private key and certificates for ECDSA (private key for generating ECDSA signatures, certificate self-signed or signed by any other CA) will be fit for ECDH-* cipher suites.

    The one case that I don't know how to produce with the OpenSSL command-line tool is a static Diffie-Hellman (non-EC) certificate. Note, though, that OpenSSL does not support SSL/TLS with static DH cipher suites either, so even if you could produce the certificate, it would not work with OpenSSL.

    (And, in fact, nobody uses static DH in practice.)

    One question though, why nobody uses static DH in practice? Practically,if I use DH-RSA, wouldn't it provides good security as well?

    There is no known security issue with static DH. But nobody wants to use DH because it would be hard to test and would not promote interoperability, because... nobody uses DH. The _source_ of the issue is that back in the early 1990s, when SSL and X.509 were in their infancy, the standard describing DH was not free (and is still not), so open source developers had a preference for RSA.

    Also, DHE-RSA (or any other cipher suite with _ephemeral_ DH or ECDH) provides _Perfect Forward Secrecy_, which is a nice thing to have.

    Nitpick: the same EC *key* (or exactly SPKI) is usable for both ECDSA and ECDH, but the *cert* can also contain KeyUsage extension which can enable only one of them. openssl `req -new -x509` can include KeyUsage depending on the config file used. Also FWLIW 1.0.2-beta does, and 1.0.2 release presumably will, finally implement static-DH; I don't know if someone actually requested it, or if it was just in the list of way-old leftovers getting cleaned up post-Heartbleed.

    OpenSSL has now added support for DH_RSA and DH_DSS ciphersuites in version 1.0.2 and 1.1.0+. These ciphersuites use certificates which contain a static DH key, but are signed with either RSA or DSA(DSS). They cannot be self-signed.

    @davenpcj 1.0.2 did add static-DH, but 1.1.0 removed both static-DH and static-ECDH (the latter dating mostly to 0.9.8, although for a long time RedHat builds deleted all ECC).

    @schaeferpp: FYI the stricter option parsing is since 1.1.0 (not only .1), and it's enough to move the number; `dsaparam -genkey -out file 1024` also works.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM