It's not entirely obvious that "-x509" actually means "produce a csr, self-sign it (defaulting to SHA1), throw away the csr and write the cert" and this had me stuck for a long time when I wanted to play with DSA server certs.
So here's a diff which moves DSA cert generation instructions to the same style as RSA where the process is to produce a CSR and tell people how to sign it in separate steps. It doesn't take much longer and is clearer. As a bonus there are instructions for ECDSA cert generation. OK? Index: ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.53 diff -u -p -r1.53 ssl.8 --- ssl.8 27 Nov 2012 01:02:07 -0000 1.53 +++ ssl.8 6 Mar 2013 12:53:51 -0000 @@ -150,18 +150,66 @@ The following command will generate 1024 # openssl dsaparam 1024 -out dsa1024.pem .Ed .Pp -Once you have the DSA parameters generated, you can generate a certificate -and unencrypted private key using the command: +Once you have the DSA parameters generated, you can generate a Certificate +Signing Request and unencrypted private key using the command: .Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -nodes -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed .Pp To generate an encrypted private key, you would use: .Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed +.Pp +This +.Pa server.csr +file can then be given to a Certificate Authority who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/dsacert.csr \e + -signkey /etc/ssl/private/dsacert.key \e + -out /etc/ssl/dsacert.crt +.Ed +.Pp +.Sh GENERATING ECDSA SERVER CERTIFICATES +First, generate parameters for ECDSA keys. +The following command will use a NIST/SECG curve over a 384 bit +prime field: +.Bd -literal -offset indent +# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +.Ed +.Pp +Once you have the ECDSA parameters generated, you can generate a self-signed +certificate and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -nodes -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +This +.Pa eccert.csr +file can then be given to a Certificate Authority who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/eccert.csr \e + -signkey /etc/ssl/private/eccert.key \e + -out /etc/ssl/eccert.crt +.Ed +.Pp .Sh USING SSL/TLS WITH SENDMAIL By default, .Xr sendmail 8
