openssl ecparam -list_curves
The list is quite long and unless you know what you’re doing you’ll be better off choosing one of the
sect* or secp*. For this tutorial I
choose secp521r1 (a curve over 521bit prime).
Generating the certificate is done in two steps: 1. Create the private key,
openssl ecparam -name secp521r1 -genkey \ -param_enc explicit -out private-key.pem2. Create the self-signed X509 certificate:
openssl req -new -x509 -key private-key.pem \ -out server.pem -days 730The newly created server.pem and private-key.pem are the certificate and the private key, respectively. The
-param_enc explicit tells openssl to embed the full parameters of the curve in the key, as
opposed to just its name. This allows clients that are not aware of the
specific curve name to work with it, at the cost of slightly increasing
the size of the key (and the certificate).You can examine the key and the certificate using
openssl ecparam -in private-key.pem -text -noout openssl x509 -in server.pem -text -nooutMost webservers expect the private-key to be chained to the certificate in the same file. So run:
cat private-key.pem server.pem > server-private.pemAnd install
server-private.pem as your certificate. If
you don’t concatenate the private key to the certificate, at least
Lighttpd will complain with the following error:SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line
No comments:
Post a Comment