views:

264

answers:

2

I need an SSL certificate for a web server. I can generate a self-signed SSL certificate with the following OpenSSL commands:

openssl req -newkey rsa:512 -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
openssl dhparam -inform pem -in cert.pem -outform pem -out dhparam.pem 512
cat dhparam.pem >> cert.pem

If I want to have a CA-signed certificate, I can generate a CSR (Certificate Signing Request) :

openssl req -newkey rsa:512  -nodes -out cert.csr -keyout cert.key

And send it to one CA. And then ? I'm wondering what the CA is sending back : only the certificate, or the certificate and the DH parameters since they are used in the negotiation between the browser and the server ?

A: 

Actually, openssl req is enough to generate a self-signed certificate. The DH parameters are not needed to work with an SSL certificate - or they can be found in the certificate generated by the CA.

So the CA will only send back a certificate file (e.g. a .crt file) which has to be used along with the private key.

philippe
+1  A: 

The Certificate Authority usually just takes the public key in the CSR and puts it in a certificate that with its own DH parameters.

Robert
DH parameters can be in the certificate ? That I was missing, thx.
philippe