Reputation: 421
How do I create an ECDSA certificate with the OpenSSL command-line
I'm building a server app in C++ that needs to accept a certificate containing an ECDSA public key. It must validate the certificate and, upon verification, use the public key contained in the certificate to authenticate a message sent along with the certificate.
I have all this working using ECDSA keypairs generated on the fly - i.e. my code is working nicely - but now I need to do the certificate piece.
And I figured I could use OpenSSL's command-line to create the certificate which is installed on the client (along with the ECDSA private key in a separate file).
Can anyone help?
Upvotes: 41
Views: 71627
Answers (3)
Reputation: 1591
In addition to existing answers here are some single liners
- Create a Certificate metadata configuration file
cat > ecdsa-certificate-metadata.cnf<<EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = US
ST = CA
L = Mountain View
O = Example Corp, Inc.
CN = *.example.com
EOF
- Create CSR non-interactive
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
# or
openssl ecparam -name secp521r1 -genkey -noout -out ecdsa-domain-private.key
openssl req -new -sha256 -key ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
# or
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:P-256 -nodes -keyout ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
# or
openssl ecparam -genkey -name prime256v1 | openssl ec -out ecdsa-domain-private.key
openssl req -new -sha256 -key ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
Upvotes: 1
Reputation: 1587
Keep in mind that in order to generate a certificate with ECDSA signature algorithm, not just with ECDSA key you also need to specify the matching hash size.
For example if you generate the P-384 ECDSA key:
openssl ecparam -name secp384r1 -genkey -out ecdsa.key
You should specify -sha384 to generate the self-signed certificate with matching ECDSA signature and hash algorithm:
openssl req -new -x509 -days 36524 -key "ecdsa.key" -sha384 -out ecdsa.crt
Upvotes: 2
Reputation: 17846
If you haven't chosen a curve, you can list them with this command:
openssl ecparam -list_curves
I picked secp256r1 for this example. Use this to generate an EC private key if you don't have one already:
openssl ecparam -out ec_key.pem -name secp256r1 -genkey
And then generate the certificate. Your certificate will be in cert.pem.
openssl req -new -key ec_key.pem -x509 -nodes -days 365 -out cert.pem
Upvotes: 74
Related Questions
- How to verify a ECC signature with OpenSSL command?
- generate certificate using ECDSA in c#
- Generate EC KeyPair from OpenSSL command line
- openssl create certificate and key
- Create and verify signature in code and from the command line using ECDSA
- How to create a certificate with OpenSSL.net
- how to use ECDSA to create a self signed digital certificate programatically
- openSSL sign https_client certificate with CA
- Problems with openSSL command line
- Create x509 Certificate issued by CA from command Prompt