On Wed, Aug 15, 2007, Xiaoyu Ruan wrote: > Can OpenSSL generate a X.509 certificate with DH public keys? > I tried the following but it does not work.. > > openssl> gendh 1024 -out DH.key //Generate DH parameters > openssl> req -new -key DH.key -out serverDH.csr //Generate cert request > unable to load Private Key 2612:error:0906D06C:PEM > routines:PEM_read_bio:no start > line:.\crypto\pem\pem_lib.c:647:Expecting: ANY PRIVATE KEY > > Seems I have to generate DH private key too. Anyone knows how to have a > CA sign a DH public key? >
OpenSSL doesn't support generation of DH certificates. The problem is that DH keys cannot be used to sign and in particular sign certificate requests. There are some DH specific ways to effectively "sign" requests but OpenSSL doesn't support them. Until OpenSSL 0.9.9-dev there was no DH keypair generation command, nor any handling for DH certificates at all. It still isn't possible to generate DH certificates though even in 0.9.9. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
