What is DSA? DSA is short for Digital Signature Algorithm, an asymmetric digital signature algorithm used primarily for digital signatures and this article will use the openssl dsa utility to demonstrate its use. DSA like RSA can be used for both digital signatures and encryption, but is primarily used for digital signatures.
The private key header and footer is the following, in PEM format:
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
And the public key header and footer in PEM format:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
openssl generate dsa certificate and private key
While this post is primarily focused on the openssl dsa utility, it is the dsaparam utility that creates the dsa private key. To generate a dsa private key with the dsaparam command, run the following:
openssl dsaparam -out key.pem -genkey 1024
While openssl will accept a key size other than 1024, other key sizes are not interoperable with all systems using DSA.
To generate a self signed certificate from the newly created private key, run the following command:
openssl req -x509 -new -key key.pem -out cert.pem
Generate a DSA CSR (Certificate Signing Request)
To generate a CSR from the newly created private key in the previous example, run the following command:
openssl req -new -key key.pem -out csr.pem
openssl dsaparam
The openssl dsaparam utility manages DSA parameters. Generating these parameters is slow, and the same parameters may be used to generate multiple but distinct keys.
DSA parameter header and footer looks like the following:
-----BEGIN DSA PARAMETERS-----
-----END DSA PARAMETERS-----
DSA signature with openssl dsa
To sign a file with a DSA private key and SHA256, run the following openssl dgst command:
openssl dgst -sha256 -sign key.pem message.txt > message.txt.sig
Where -sha256
is the hash algorithm, -sign key.pem
specifies the signing key, and message.txt > message.txt.sig
specifies the file to sign and the file to be created, holding the signature.
Before verifying the signature, you must extract the public key from the private key. To get the DSA public key from your private key, run the following command:
openssl dsa -in key.pem -pubout -out public-key.pem
Where -in key.pem
is the private key, -pubout
means extract the public key, and -out public-key.pem
is the new file to hold the public key.
To verify that signature, run the following openssl command:
openssl dgst -sha256 -verify public-key.pem -signature message.txt.sig message.txt
Where -sha256
is the same hashing algorithm used in the signature, -verify public-key.pem
means to verify the signature with the specified public key, and -signature message.txt.sig message.txt
specifies the signature file and the message file that was signed, in that order.
DSA encryption
DSA is a signature algorithm and was not designed for encryption. The DSA private key is for generating digital signatures and its public key is used to verify that signature.
DSA vs RSA
To learn more about the differences between DSA and RSA, read our post on RSA vs DSA vs ECDSA
Other openssl dsa examples
To encrypt a DSA private key, run the following command, swapping out -des3 with any supported algorithm:
openssl dsa -in key.pem -des3 -out keyout.pem
Private keys should not be stored in plaintext if at all possible. If you need to decrypt the key, run the following command:
openssl dsa -in key.pem -out keyout.pem
To convert the PEM encoded DSA private key to DER format, run the following command:
openssl dsa -in key.pem -outform DER -out key.der
To print the PEM encoded DSA key components, run the following command:
openssl dsa -in key.pem -text -noout
Let us know in the comments if you have any questions are suggested improvements for this article.
Leave a Reply