Peter Djalaliev wrote, On 2008-08-07 07:30: > Do the NSS APIs allow creating a new Diffie-Hellman SSL server > certificate?
Yes, I'm pretty sure they do, but I think we have no test programs that will do so easily. I don't recall that certutil supports the generation of certs with DH public keys. certcgi (no longer supported, but still in the source tree) might. > From what I understand, we need to generate DH parameters and create an > X509 certificate with the DH public key (and params) in the subject > public key info. Um, OK. Out of curiosity, if you don't mind revealing it, please tell us (me) where that requirement comes from. I ask because I don't know of ANY public CA that issues such certs today. The last CA I knew of that did was the US DoD's CA that issued certificates for Fortezza cards. > This certificate is then signed by a CA using RSA and DSS (hence the > DH_RSA_* and DH_DSS_* SSL cipher suites). Well, in any given cert, it will be signed by either RSA or DSS, not both, of course. > We are not trying to create a certificate for ephemeral Diffie-Hellman > key exchange, where the DH public key and params are signed with a RSA > or DSA certificate, which is in turn signed by a CA. OK, that's what you're NOT trying to do. :) So, what ARE you trying to do? > This should be a relatively simple thing to do, but I can't seem to > find anything online. It might be that nobody uses DH certificates > these days Yeah, I think that's it. > or that I am looking in the wrong direction. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
