From: Dr. Stephen Henson Date: Sat, 25 Mar 2000 02:38:28 +0000 (+0000) Subject: Update docs. X-Git-Tag: OpenSSL_0_9_5a~22 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=afee764c4a173e7dff52dbf59612e2418acc7cb7 Update docs. --- diff --git a/FAQ b/FAQ index 9d3881dac5..eca2601171 100644 --- a/FAQ +++ b/FAQ @@ -13,6 +13,9 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * How do I create certificates or certificate requests? * Why can't I create certificate requests? +* Why does fail with a certificate verify error? +* How can I create DSA certificates? +* Why can't I make an SSL connection using a DSA certificate? * Why can't the OpenSSH configure script detect OpenSSL? @@ -156,6 +159,7 @@ on how to obtain and install the free GNU C compiler. A number of Linux and *BSD distributions include OpenSSL. + * I've compiled a program under Windows and it crashes: why? This is usually because you've missed the comment in INSTALL.W32. You @@ -191,6 +195,34 @@ This is because it can't find the configuration file. Check out the DIAGNOSTICS section of req(1) for more information. +* Why does fail with a certificate verify error? + +This problem is usually indicated by log messages saying something like +"unable to get local issuer certificate" or "self signed certificate". +When a certificate is verified its root CA must be "trusted" by OpenSSL +this typically means that the CA certificate must be placed in a directory +or file and the relevant program configured to read it. The OpenSSL program +'verify' behaves in a similar way and issues similar error messages: check +the verify(1) program manual page for more information. + + +* How can I create DSA certificates? + +Check the CA.pl(1) manual page for a DSA certificate example. + + +* Why can't I make an SSL connection to a server using a DSA certificate? + +Typically you'll see a message saying there are no shared ciphers when +the same setup works fine with an RSA certificate. There are two possible +causes. The client may not support connections to DSA servers most web +browsers only support connections to servers supporting RSA cipher suites. +The other cause is that a set of DH parameters has not been supplied to +the server. DH parameters can be created with the dhparam(1) command and +loaded using the SSL_CTX_set_tmp_dh() for example: check the source to +s_server in apps/s_server.c for an example. + + * Why can't the OpenSSH configure script detect OpenSSL? There is a problem with OpenSSH 1.2.2p1, in that the configure script diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index 83e4c0af81..9d287f0c4d 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -102,6 +102,35 @@ the request and finally create a PKCS#12 file containing it. CA.pl -signreq CA.pl -pkcs12 "My Test Certificate" +=head1 DSA CERTIFICATES + +Although the B creates RSA CAs and requests it is still possible to +use it with DSA certificates and requests using the L command +directly. The following example shows the steps that would typically be taken. + +Create some DSA parameters: + + openssl dsaparam -out dsap.pem 1024 + +Create a DSA CA certificate and private key: + + openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + +Create the CA directories and files: + + CA.pl -newca + +enter cacert.pem when prompted for the CA file name. + +Create a DSA certificate request and privat key (a different set of parameters +can optionally be created first): + + openssl req -out newreq.pem -newkey dsa:dsap.pem + +Sign the request: + + CA.pl -signreq + =head1 NOTES Most of the filenames mentioned can be modified by editing the B script.