[Pki-users] Generating certificates with DSA signatures
Christina Fu
cfu at redhat.com
Sat Sep 13 00:04:05 UTC 2014
Hi Fraser,
The CA does not need to be DSA. It can be RSA and sign a DSA cert for
you. You just need to generate a CSR with DSA key.
For example, you can use certutil to generate a DSA CSR:
# certutil -d . -R -k dsa -s "CN=cfuTestDSA" -a -o cfuDSA.req.b64
# cat cfuDSA.req.b64
MIICFjCCAdYCAQAwFTETMBEGA1UEAxMKY2Z1VGVzdERTQTCCAbYwggErBgcqhkjO
OAQBMIIBHgKBgQCY7zqucJibRNs1hsG2wkd8tP+Z6K5E8uvDviMPZdBMBIKQp51K
yJN/Qd/4gGsLaH+v5Ki1spnDafs/5xvQD6l6SgS/UJ4iM7iJUyQQ+Wh3ra8QaLjT
aF2jw+tyO6ALc2XF0fqMwH2qUik0RAG/EiX+GArIP8FgSNutk7ZhZ9eoLQIVALWw
hItEKfYzWaE8vtJ/NaF2JwOBAoGABA6DafHNfeUMeJPWSW8ABE4ObDeqOCJH0ljs
gxKV+Zzx9Cf/15lXNcZkTMBHEjFQgjwqBwMB7zAJiYJBdnHanleLdjg3X6XNMoRF
jUwXVCtdwmu6PqB7ldcAQvcIuIOHYOHl9BpUwiDaODrRthD0yzXal5KH1qU3YrST
ShUhpRADgYQAAoGAKDm/ww3NZTM+Npdc1WnZZlebT78BcKQVUfMMHvqG+TJRrkjZ
RwhUKeNoYeRxPt0bJ8QUtRDG/ihQ+mH22bOJkhogXuf/GdGbKTRjInnXho6NEaQo
sSY3CJ/865RXvPXDBleYoF1WzAntEQtWY+9/uSGZD20uubrKUopNioNTD86gADAJ
BgcqhkjOOAQDAy8AMCwCFD59mJXc3EnJWY8N66DhCoKeg8yGAhQpYqFI14WFTk39
CXfwXSsLE5qSfw==
Paste that into "Other Certificate Enrollment" at the CA EE page, submit
Go to CA agent and approve it and I see:
<snip>
Subject Public Key Info:
Algorithm: DSA - 1.2.840.10040.4.1
<snip>
Hope this helps,
Christina
On 09/11/2014 12:22 AM, Fraser Tweedale wrote:
> Hi all,
>
> Is there some documentation somewhere about how to set up /
> configure a CA subsystem such that it can sign requests with DSA
> rather than RSA?
>
> I guess that you need to spawn an instance with a DSA signing key or
> somehow configure one after the spawning, but I'm not sure how to do
> this.
>
> Cheers,
>
> Fraser
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list