Re: Creating a non-RSA CA

Dr Stephen Henson Wed, 9 Jun 1999 15:18:01 -0700
David A. Lee wrote:
> 
> I've built openssl with no-rsa and no-idea
> Now I'm trying to create a CA using CA.sh with some other cipher.
> CA.sh seems to be useing the "-new" option to
>     openssl req
> which implies RSA acording to the code ...
> So I changed CA.sh to do
>      openssl req -newkey dh: -x509 ...
> 
> Which looks from the code to be the right thing to use DH cipher.
> However I get a slew of non-informative (to me) errors ...
> ----------
> Using configuration from /usr/local/ssl/openssl.cnf
> Generating a 1024 bit DSA private key
> writing new private key to './demoCA/private/./cakey.pem'
> 26942:error:02001002:system library:fopen:system lib:bss_file.c:103:fopen
> ('/extapp/home/dave/.oid','r')
> 26942:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:105:
> 26942:error:0D0B7092:asn1 encoding routines:i2d_PrivateKey:unsupported
> public key type:i2d_pr.c:81:26942:error:09069021:PEM
> routines:PEM_ASN1_write_bio:Malloc failure:pem_lib.c:262:
> 
> -------------------
> 
> Any suggestions on getting a standard openssl without RSA and IDEA ?
> 

Check out my PKCS#12 FAQ for info on DSA (DSS) certificates. 


OpenSSL doesn't support DH certificates.

Here is my standard reponse as to why... 

DH certificates can exist in theory and indeed things like S/MIME v3
require mandatory DH certificate support and SSL includes some ciphers
that require DH certificates. Until now however they appear to be just
that: theoretical. I've never seen one and everyone I've asked hasn't
seen one either. I know of no CA that will sign such things and even the
principle of a "DH certificate request" is not well defined: it involves
signing with something that isn't intended to be signed with.

If I do see one and an appropriate standard for handling things like
certificate request (and not full of <TBD> OIDs) then I'll add support.

Failing that if there is demand I can add support but it wont work with
anything else because AFAIK nothing else uses them!

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Creating a non-RSA CA

Reply via email to
