What is DSA? DSA is short for Digital Signature Algorithm, an asymmetric digital signature algorithm used primarily for digital signatures and this article will use the openssl dsa utility to demonstrate its use. DSA like RSA can be used for both digital signatures and encryption, but is primarily used for digital signatures.

The private key header and footer is the following, in PEM format:

```
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
```

And the public key header and footer in PEM format:

```
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
```

## openssl generate dsa certificate and private key

While this post is primarily focused on the openssl dsa utility, it is the dsaparam utility that creates the dsa private key. To generate a dsa private key with the dsaparam command, run the following:

`openssl dsaparam -out key.pem -genkey 1024`

While openssl will accept a key size other than 1024, other key sizes are not interoperable with all systems using DSA.

To generate a self signed certificate from the newly created private key, run the following command:

`openssl req -x509 -new -key key.pem -out cert.pem`

## Generate a DSA CSR (Certificate Signing Request)

To generate a CSR from the newly created private key in the previous example, run the following command:

`openssl req -new -key key.pem -out csr.pem`

## openssl dsaparam

The openssl dsaparam utility manages DSA parameters. Generating these parameters is slow, and the same parameters may be used to generate multiple but distinct keys.

DSA parameter header and footer looks like the following:

```
-----BEGIN DSA PARAMETERS-----
-----END DSA PARAMETERS-----
```

## DSA signature with openssl dsa

To sign a file with a DSA private key and SHA256, run the following openssl dgst command:

`openssl dgst -sha256 -sign key.pem message.txt > message.txt.sig`

Where `-sha256`

is the hash algorithm, `-sign key.pem`

specifies the signing key, and `message.txt > message.txt.sig`

specifies the file to sign and the file to be created, holding the signature.

Before verifying the signature, you must extract the public key from the private key. To get the DSA public key from your private key, run the following command:

`openssl dsa -in key.pem -pubout -out public-key.pem`

Where `-in key.pem`

is the private key, `-pubout`

means extract the public key, and `-out public-key.pem`

is the new file to hold the public key.

To verify that signature, run the following openssl command:

`openssl dgst -sha256 -verify public-key.pem -signature message.txt.sig message.txt`

Where `-sha256`

is the same hashing algorithm used in the signature, `-verify public-key.pem`

means to verify the signature with the specified public key, and `-signature message.txt.sig message.txt`

specifies the signature file and the message file that was signed, in that order.

## DSA encryption

DSA is a signature algorithm and was not designed for encryption. The DSA private key is for generating digital signatures and its public key is used to verify that signature.

## DSA vs RSA

To learn more about the differences between DSA and RSA, read our post on RSA vs DSA vs ECDSA

## Other openssl dsa examples

To encrypt a DSA private key, run the following command, swapping out -des3 with any supported algorithm:

`openssl dsa -in key.pem -des3 -out keyout.pem`

Private keys should not be stored in plaintext if at all possible. If you need to decrypt the key, run the following command:

`openssl dsa -in key.pem -out keyout.pem`

To convert the PEM encoded DSA private key to DER format, run the following command:

`openssl dsa -in key.pem -outform DER -out key.der`

To print the PEM encoded DSA key components, run the following command:

` openssl dsa -in key.pem -text -noout`

Let us know in the comments if you have any questions are suggested improvements for this article.

## Leave a Reply