Creating Self-Signed ECDSA SSL Certificate using OpenSSL

Before generating a private key, you’ll need to decide which elliptic curve to use. To list the supported curves run:

openssl ecparam -list_curves

The list is quite long and unless you know what you’re doing you’ll be better off choosing one of the sect* or secp*. For this tutorial I choose secp521r1 (a curve over 521bit prime).

Generating the certificate is done in two steps: First we create the private key, and then we create the self-signed X509 certificate:

openssl ecparam -name secp521r1 -genkey -param_enc explicit -out private-key.pem
openssl req -new -x509 -key private-key.pem -out server.pem -days 730

The newly created server.pem and private-key.pem are the certificate and the private key, respectively. The -param_enc explicit tells openssl to embed the full parameters of the curve in the key, as opposed to just its name. This allows clients that are not aware of the specific curve name to work with it, at the cost of slightly increasing the size of the key (and the certificate).

You can examine the key and the certificate using

openssl ecparam -in private-key.pem -text -noout
openssl x509 -in server.pem -text -noout

Most webservers expect the private-key to be chained to the certificate in the same file. So run:

cat private-key.pem server.pem > server-private.pem

And install server-private.pem as your certificate. If you don’t concatenate the private key to the certificate, at least Lighttpd will complain with the following error:

SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line

6 thoughts on “Creating Self-Signed ECDSA SSL Certificate using OpenSSL

  1. Pingback: Generating ECDSA certificate and private key in one step | DL-UAT

  2. Philippe Leothaud

    Hi Guy,

    Thanks for the tip.

    I had some problems with the -param_enc explicit option though : when you use it to generate the keypair openssl server side will not be able to pick a cipher suite from the ones presented by the client and the connection is therefore not established.

    When you remove the option (meaning that you default to named curve) everything works fine.

    Thanks,

    Philippe

  3. Pingback: Improving my OpenVPN Ansible Playbook - nTh among all

  4. varsha

    Hi,
    can you please tell me how to import openssl Certificate using ECDSA in NS2, i ahve already created certificate i need to know how to import certificate into NS2 for further use

  5. Anon

    if the line
    cat private-key.pem server.pem > server-private.pem doesn’t work for you and your on Windows. Do this instead
    type private-key.pem server.pem > server-private.pem

    Hope that helps someone.

Leave a Reply

Your email address will not be published. Required fields are marked *