Miroslav Kratochvil <[email protected]> writes: > Hi everyone, > > well, after I solved the problem at [1], I got to real problems problems: > > I want gnutls to negotiate encrypted connection using DSA keys. I > realized that I will have to use DHE_DSS algorithm, but I have no idea > how to generate a certificate for one. Googling failed, and > documentation says only that "DHE_DSS uses DSA keys in certificates." > > In OpenSSL world (from where I'm migrating) it was easy, one just > appended "-dsa" to key generating parameters, and it was done. > Nevertheless; with gnutls and --dsa option; I'm getting error -89 > (Public key signature verification has failed.). RSA alternative > (--rsa with the same commands) works ok. > > So, is there any tutorial or howto on generating suitable DSA keys for > use with encryption? Ideally with a complete certtool script for > generating one selfsigned CA keypair and other that-ca-signed keypair.
Check the manual: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html Generating a certificate using those instructions seems to work fine here, see log below. You are right that the manual doesn't give an example for DSA keys, so I added one: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06 Can you explain exactly what you did to get the -89 error? /Simon j...@mocca:~$ certtool --generate-privkey --outfile key.pem --dsa Generating a 2048 bit DSA private key... j...@mocca:~$ cat key.pem -----BEGIN DSA PRIVATE KEY----- MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j 5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6 tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+ pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3 eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0 010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M= -----END DSA PRIVATE KEY----- j...@mocca:~$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey ~/src/www-gnutls/test-credentials/x509-ca-key.pem Generating a signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Country name (2 chars): SE Organization name: Organizational unit name: Locality name: State or province name: Common name: foo.bar.com UID: This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1240236605): Activation/Expiration time. The certificate will expire in (days): The certificate will expire in (days): 180 Extensions. Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter the dnsName of the subject of the certificate: foo.bar.com Enter the dnsName of the subject of the certificate: X.509 Certificate Information: Version: 3 Serial Number (hex): 49ec823d Validity: Not Before: Mon Apr 20 14:10:06 UTC 2009 Not After: Sat Oct 17 14:10:08 UTC 2009 Subject: C=SE,CN=foo.bar.com Subject Public Key Algorithm: DSA Public key (bits 1024): c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91 31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90 9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da 98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b 96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7 63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad 5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43 P: c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c 46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71 f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53 0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a 6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92 7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf 8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6 94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b 81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c 46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0 d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85 e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27 85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b 17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb 01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39 Q: 01:00:01 G: 42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc 33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41 d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2 c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9 c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0 73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2 2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25 c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82 a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9 7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab 8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49 86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11 0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22 8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75 6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb 55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Subject Alternative Name (not critical): DNSname: foo.bar.com Key Usage (critical): Digital signature. Subject Key Identifier (not critical): e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f Authority Key Identifier (not critical): e93c1cfbad926ee606a4562ca2e1c05327c8f295 Other Information: Public Key Id: e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f Is the above information ok? (Y/N): y Signing certificate... j...@mocca:~$ certtool -v certtool (GnuTLS) 2.6.5 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Nikos Mavrogiannopoulos and Simon Josefsson. j...@mocca:~$ _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
