> Um, OK. Out of curiosity, if you don't mind revealing it, please tell > us (me) where that requirement comes from. I ask because I don't know > of ANY public CA that issues such certs today. The last CA I knew of > that did was the US DoD's CA that issued certificates for Fortezza cards.
My company develops an in-line network device that possibly resigns certificates of SSL connections with an internal CA. Currently, we do not handle the regular DH ciphers, but supposedly some SSL traffic uses them. As far as I understand, an SSL server that uses regular DH ciphers (DH_RSA_* and DH_SSL_*) must have an SSL certificate with DH public key / parameters in it. I have no idea where such servers got their certificates and whether the came from a trusted CA :) I was also under the impression that these certificates were basically dead, but supposedly some potential customers still use them for regular DH ciphers. > > This certificate is then signed by a CA using RSA and DSS (hence the > > DH_RSA_* and DH_DSS_* SSL cipher suites). > > Well, in any given cert, it will be signed by either RSA or DSS, not > both, of course. Yeah, please s/and/or/ Any pointers about where I should look in order to generate a DH SSL certificate using NSS? Does NSS also have an API to generate the DH parameters? Regards, Peter Djalaliev _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
