Before generating a private key, you’ll need to decide which elliptic curve to use. To list the supported curves run:
openssl ecparam -list_curves
The list is quite long and unless you know what you’re doing you’ll be better off choosing one of the sect* or secp*. For this tutorial I choose secp521r1 (a curve over 521bit prime).
Generating the certificate is done in two steps: First we create the private key, and then we create the self-signed X509 certificate:
openssl ecparam -name secp521r1 -genkey -param_enc explicit -out private-key.pem
openssl req -new -x509 -key private-key.pem -out server.pem -days 730
The newly created server.pem and private-key.pem are the certificate and the private key, respectively. The -param_enc explicit tells openssl to embed the full parameters of the curve in the key, as opposed to just its name. This allows clients that are not aware of the specific curve name to work with it, at the cost of slightly increasing the size of the key (and the certificate).
You can examine the key and the certificate using
openssl ecparam -in private-key.pem -text -noout
openssl x509 -in server.pem -text -noout
Most webservers expect the private-key to be chained to the certificate in the same file. So run:
cat private-key.pem server.pem > server-private.pem
And install server-private.pem as your certificate. If you don’t concatenate the private key to the certificate, at least Lighttpd will complain with the following error:
SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line
Thanks for the post. I found many usefull commands to generate csr, key and self-signed crt on the fly with one command in non-interactive mode.
Here is the link – http://sysadm.pp.ua/internet/pound-apache-nginx-ssl-setup.html ,maybe if would be usefull
Hi Guy,
Thanks for the tip.
I had some problems with the -param_enc explicit option though : when you use it to generate the keypair openssl server side will not be able to pick a cipher suite from the ones presented by the client and the connection is therefore not established.
When you remove the option (meaning that you default to named curve) everything works fine.
Thanks,
Philippe
Hi,
can you please tell me how to import openssl Certificate using ECDSA in NS2, i ahve already created certificate i need to know how to import certificate into NS2 for further use
if the line
cat private-key.pem server.pem > server-private.pem doesn’t work for you and your on Windows. Do this instead
type private-key.pem server.pem > server-private.pem
Hope that helps someone.