EJBCA - how to generate certificate with ECDSA key?

Question

Using EJBCA (6.2.0), after adding an ecdsa entity certificate on the Ejbca's "Admin" server, I tried to use the Ejbca public web to enroll this entity certificate, however, it only provides the choice to select RSA key bit length but not the named curves that I need ( note: I have all the certificate CA, profile configured as ECDSA). After spending few days to google on this topic, I come to the impression EJBCA only capable of using ECDSA to sign certificate but not to generate ECDSA keys!

I wonder if there is a way to workaround this issue ? Any help is greatly appreciated !

Thanks, Harold T

Answer 1

using batch tool you can edit conf/batchtool.properties to achieve what you are asking for. Future versions will support it in the gui as well.

Answer 2

This depends on which key pair you are generating. When generating a CA in EJBCA up to three keys and certificates are generated:

• A CA signing keypair and certificate
• An encryption keypair, used for encrypting keyrecovery information
• An OCSP signer keypair and certificate

When using ECDSA keys, the CA signing keypair and the OCSP signer keypair will be the ECDSA keytype you select when creating the CA. The CA signing and OCSP signing certificate will be signed using your selected signature algorithm. The encryption keypair will always be RSA, using 1024 or 2048 bit key length. It uses the key length set in the admin-GUI or 2048 bit by default using the cli. A dummy encryption certificate will be created using SHA1WithRSA.