Quite often than not i find myself needing to refresh on how to do some simple EC cert generation now that things are moving toward a more automated approach.
Below should give some insight in the general commands for generating an EC key, pem and CSR as well as converting some certs.
Generating an EC SSL Cert using openssl on the CLI
First there’s a few things to consider - what strength key do you want to employ
1
2
| # the following command lists the available ciphers
openssl ecparam -list_curves
|
To generate an SSL Key using a specific key, in this instance a 256bit X9.62/SECG curve
1
2
| # Use openssl to generate the key
openssl ecparam -name prime256v1 -genkey -out private-key.key
|
The following enables the generation of a CSR for signing
1
2
| # Generate CSR from a .cnf and the private key file
openssl req -new -sha256 -nodes -key private.key -out sslcert.csr -config sslcertconfig.cnf
|
To generate a self signed .pem file use the following. If needed, you can also generate a .pfx file from the pem and private key
1
2
3
4
5
| # Create a self-signed certificate for 360 days
openssl req -new -x509 -key private-key.key -out cert.pem -days 360
# Conver the newly created self signed cert from pem to pfx
openssl pkcs12 -export -inkey private-key.key -in cert.pem -out cert.pfx
|
If you want create a trust chain withthe public key from the private key, you can do that here
1
2
| # generate corresponding public key
openssl ec -in private-key.key -pubout -out public-key.key
|
## Below are some examples of the config output
1
| openssl ecparam -out private.key -name prime256v1 -genkey
|
1
2
3
4
5
6
7
8
9
10
| cat private.key
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGeOdfaNpamOcXY5YvrdsvOdERQVMe8z5gwKMdVSTTSOoAoGCCqGSM49
AwEHoUQDQgAE30hvfthqLkH57Z9rnpwj+pEqqdjUjPvjRWp3+Jjo6EFkveVHnYkx
YgvOClXF9imi2rLld22UjnPTvLHib05EVQ==
-----END EC PRIVATE KEY-----
|
1
| openssl ecparam -noout -out private.key -name prime256v1 -genkey
|
1
2
3
4
5
6
7
| cat private.key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFHn7mwM/LBid7MSKNYmPtO5SZavtY9RhyEDtjckM6W7oAoGCCqGSM49
AwEHoUQDQgAEz1Uje2mbTJR73Jl+cUjMxd9f5paBPm/ju3eFQE+0Hjv21T6dwEHg
+GBXIAAmFpTBLpB39naAnFYmqRGqc8YHuw==
-----END EC PRIVATE KEY-----
|
Notice that specifying the -noout
parameter meant that the EC Paramters were ommitted from the .key file - these EC paramters are an OID format specifying what the key is
1
2
| echo "BggqhkjOPQMBBw==" | openssl base64 -d | openssl asn1parse -inform DER
0:d=0 hl=2 l= 8 prim: OBJECT :prime256v1
|
Once you have your CSR, inspect it with the following
You can use the optional tag of -verify
in the openssl comand below to verify the config - this adds the following at the top of the output if its verified as being ‘good’
verify OK
1
| openssl req -noout -text -in sslcert.csr
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, ST=test, L=test, O=test, OU=test, CN=test.localodmain.local/emailAddress=test@localdomain.local
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d4:5d:be:95:91:cb:06:4c:d1:7f:15:72:a5:0a:
9c:38:62:db:a3:59:6d:7a:4d:b1:19:6c:43:a8:a4:
77:ae:d1:8f:af:1c:4c:2f:4c:dc:8b:bd:95:c3:a3:
da:4b:a8:ff:f0:4b:22:fa:4b:88:17:9f:c3:da:68:
7d:8e:6b:f4:bb
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
61:F3:F8:78:04:B2:26:8A:A8:52:CF:3D:87:4D:CD:4B:BE:C0:A7:B7
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Subject Alternative Name:
DNS:test, DNS:test1.localdomain.local, DNS:test1, DNS:test2.localdomain.local, DNS:test2, DNS:test3.localdomain.local DNS:test3
Netscape Comment:
hostname
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:34:3a:46:e5:90:12:da:0c:5f:ad:05:f0:2b:9a:
99:7d:72:0e:5b:d5:8e:be:9a:26:bf:11:e1:89:b9:2b:30:11:
02:20:03:c9:f5:63:72:e6:f2:88:50:cb:99:fb:6b:42:d3:23:
e4:1a:58:e7:6d:7a:6b:8c:be:7a:2e:c9:b0:db:7a:f1
|