• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl dsa

May 21, 2020 by Mister PKI Leave a Comment

What is DSA? DSA is short for Digital Signature Algorithm, an asymmetric digital signature algorithm used primarily for digital signatures and this article will use the openssl dsa utility to demonstrate its use. DSA like RSA can be used for both digital signatures and encryption, but is primarily used for digital signatures.

The private key header and footer is the following, in PEM format:

-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----

And the public key header and footer in PEM format:

-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

openssl generate dsa certificate and private key

While this post is primarily focused on the openssl dsa utility, it is the dsaparam utility that creates the dsa private key. To generate a dsa private key with the dsaparam command, run the following:

openssl dsaparam -out key.pem -genkey 1024

While openssl will accept a key size other than 1024, other key sizes are not interoperable with all systems using DSA.

To generate a self signed certificate from the newly created private key, run the following command:

openssl req -x509 -new -key key.pem -out cert.pem

Generate a DSA CSR (Certificate Signing Request)

To generate a CSR from the newly created private key in the previous example, run the following command:

openssl req -new -key key.pem -out csr.pem

openssl dsaparam

The openssl dsaparam utility manages DSA parameters. Generating these parameters is slow, and the same parameters may be used to generate multiple but distinct keys.

DSA parameter header and footer looks like the following:

 -----BEGIN DSA PARAMETERS-----
 -----END DSA PARAMETERS-----

DSA signature with openssl dsa

To sign a file with a DSA private key and SHA256, run the following openssl dgst command:

openssl dgst -sha256 -sign key.pem message.txt > message.txt.sig

Where -sha256 is the hash algorithm, -sign key.pem specifies the signing key, and message.txt > message.txt.sig specifies the file to sign and the file to be created, holding the signature.

Before verifying the signature, you must extract the public key from the private key. To get the DSA public key from your private key, run the following command:

openssl dsa -in key.pem -pubout -out public-key.pem

Where -in key.pem is the private key, -pubout means extract the public key, and -out public-key.pem is the new file to hold the public key.

To verify that signature, run the following openssl command:

openssl dgst -sha256 -verify public-key.pem -signature message.txt.sig message.txt

Where -sha256 is the same hashing algorithm used in the signature, -verify public-key.pem means to verify the signature with the specified public key, and -signature message.txt.sig message.txt specifies the signature file and the message file that was signed, in that order.

DSA encryption

DSA is a signature algorithm and was not designed for encryption. The DSA private key is for generating digital signatures and its public key is used to verify that signature.

DSA vs RSA

To learn more about the differences between DSA and RSA, read our post on RSA vs DSA vs ECDSA

Other openssl dsa examples

To encrypt a DSA private key, run the following command, swapping out -des3 with any supported algorithm:

openssl dsa -in key.pem -des3 -out keyout.pem

Private keys should not be stored in plaintext if at all possible. If you need to decrypt the key, run the following command:

openssl dsa -in key.pem -out keyout.pem

To convert the PEM encoded DSA private key to DER format, run the following command:

openssl dsa -in key.pem -outform DER -out key.der

To print the PEM encoded DSA key components, run the following command:

 openssl dsa -in key.pem -text -noout

Let us know in the comments if you have any questions are suggested improvements for this article.

Read more of our content.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Convert PEM to other formats
  • netsh http show sslcert
  • openssl pkcs12 legacy
  • SSH: No matching host key type found
  • pkcs12

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023