[openssl-users] Creating an X25519-based Certificate
Michael Scott
mike.scott at miracl.com
Thu Jun 30 17:12:32 UTC 2016
On Thu, Jun 30, 2016 at 5:11 PM, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 30/06/16 16:54, Salz, Rich wrote:
> >> Since X25519 is not the first "encrypt-only" algorithm in the
> >> OpenSSL universe, how was requesting certificates handled for
> >> such algorithms in the past?
> >
> > It wasn't.
> >
> >> For example how would one request a DH certificate?
> >
> > You couldn't.
> >
> > I don't recall anyone ever asking for such a thing on the public lists.
> >
>
> There is no standardised way of requesting a DH certificate that I know of.
>
> Nonetheless OpenSSL does support the generation of DH certificates, but
> it's a bit nasty:
>
>
> https://security.stackexchange.com/questions/44251/openssl-generate-different-types-of-self-signed-certificate/82868#82868
>
>
That seems to be exactly what I was looking for! So create a bogus RSA cert
and create its self-signed certificate request. But then use the
-force_pubkey flag to substitute my own X25519 public key for the RSA
public key, just prior to getting it signed by the CA.
Reminds me of the cuckoo..
I would worry about the damage that could be done if -force_pubkey fell
into the wrong hands :)
Thanks!
Mike
> Matt
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160630/e34da1ec/attachment-0001.html>
More information about the openssl-users
mailing list