[Help-gnutls] Encryption using DSA keys

Miroslav Kratochvil exa.exa at gmail.com
Mon Apr 20 15:56:47 CEST 2009

Hi everyone,

well, after I solved the problem at [1], I got to real problems problems:

I want gnutls to negotiate encrypted connection using DSA keys. I
realized that I will have to use DHE_DSS algorithm, but I have no idea
how to generate a certificate for one. Googling failed, and
documentation says only that "DHE_DSS uses DSA keys in certificates."

In OpenSSL world (from where I'm migrating) it was easy, one just
appended "-dsa" to key generating parameters, and it was done.
Nevertheless; with gnutls and --dsa option; I'm getting error -89
(Public key signature verification has failed.). RSA alternative
(--rsa with the same commands) works ok.

So, is there any tutorial or howto on generating suitable DSA keys for
use with encryption? Ideally with a complete certtool script for
generating one selfsigned CA keypair and other that-ca-signed keypair.

If I'm totally wrong and using DSA for encryption is lame, and
therefore it doesn't and won't ever work, please tell me ;)

Thanks in advance

Mirek Kratochvil

[1] is gnutls-devel thread, can be seen at gmane:

More information about the Gnutls-help mailing list