On Thu, Jun 30, 2016 at 5:11 PM, Matt Caswell <matt at openssl.org> wrote: > > > On 30/06/16 16:54, Salz, Rich wrote: > >> Since X25519 is not the first "encrypt-only" algorithm in the > >> OpenSSL universe, how was requesting certificates handled for > >> such algorithms in the past? > > > > It wasn't. > > > >> For example how would one request a DH certificate? > > > > You couldn't. > > > > I don't recall anyone ever asking for such a thing on the public lists. > > > > There is no standardised way of requesting a DH certificate that I know of. > > Nonetheless OpenSSL does support the generation of DH certificates, but > it's a bit nasty: > > > https://security.stackexchange.com/questions/44251/openssl-generate-different-types-of-self-signed-certificate/82868#82868 > > That seems to be exactly what I was looking for! So create a bogus RSA cert and create its self-signed certificate request. But then use the -force_pubkey flag to substitute my own X25519 public key for the RSA public key, just prior to getting it signed by the CA. Reminds me of the cuckoo.. I would worry about the damage that could be done if -force_pubkey fell into the wrong hands :) Thanks! Mike > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160630/e34da1ec/attachment-0001.html>
