Thanks to Matt Caswell for helping me fix the DSA question. His solution, based of the information I provided, was: openssl genpkey -genparam -algorithm DSA -pkeyopt \ dsa_paramgen_bits:2048 -out dsa.params openssl genpkey -paramfile dsa.params -out dsa.key Which leads to my next question. For general application and ssh level defense, is 2048 the right bit amount? Is there a reason not to go to 4096 absent very high request counts? Are there other security flags I should use? I'm currently reading Ivan's "OpenSSL cookbook but some of it is slow to sink in. Thanks! Leam
