証明書の秘密鍵生成方法見直し - Shammerismのとおり、opensslのgenpkeyを使用していろいろな証明書を作成しようとしているが、DHの秘密鍵を使用してCSRを作成しようとするとできない。

# openssl genpkey -genparam -algorithm DH -out dhparam.pem -pkeyopt dh_paramgen_prime_len:2048
..................................+............................................................................................................+..............................................................................+........................................................................................................................................................+............................................................................................................+.....................................++*++*
# openssl genpkey -paramfile dhparam.pem -out dhkey.pem
#
# openssl req -new -key dhkey.pem -out csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:admin@a.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
140030527866536:error:060A109E:digital envelope routines:DO_SIGVER_INIT:no default digest:m_sigver.c:84:
#

どうやら、DHは鍵交換に使用できても認証はできないためと思われる。DHを使用する場合は、認証が可能なRSA/DSA/ECのいずれかと組み合わせないといけない、ということだろう。DHを使用できる証明書の作成時には注意が必要だ。