As far as certificate usage goes the DSA personality certificate $DXHOME/config/ssld/personalities/{dsa_name}.pem requires for following:
Key Usages: DIGITAL_SIGNATURE, KEY_AGREEMENT, KEY_ENCIPHERMENT
Certificate Usages: SSL_CLIENT, SSL_SERVER
Notes
* The client certificate usage is required so that two DSAs can communicate with each other. In this case the the DSAs authenticate wit each other using certificate based authentication.
* The SubjectDN of the certificate for each DSA *must* but the same as the "dsa-name" field from the knowledge file for each DSA you are generating a certificate for, otherwise, DSAs will not be able to communicate.
* CA Directory ships with a certificate generation tool, running "dxcertgen certreq" will create a certificate signing request based on the DSA configuration. A certificate authority can then be used to generate and sign a certificate that can then be imported using "dxcertgen certmerge" where the certificate is merged with the private key created when the CSR was generated to for a personality PEM file
* The public certificate for the root CA (and intermediate certificates) should be added imported into $DXHOME/config/ssld/trusted.pem.