Generate and use ECDH certificate on a simple server-client model

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I'm trying to establish a TLS/SSL connection between 2 back-end using OpenSSL library.
The algorithm I would like to use is ECDHE-RSA-AES256-SHA.
At first, I want to generate 2 pairs of ECDH-RSA certificate/key, 1 for the server & 1 for the client using a root CA as a signed authority. To simplify everthing, I want to insert a fixed ECDH parameters into the RSA certificate. For that I came up with the following solution 
Here are the commands I used to generate these 2 certificate:

#Root CA
openssl genrsa -out rootCA.key 2048 -aes256
openssl req -x509 -new -nodes -key rootCA.key -days 36500 -out rootCA.pem

#ECDH params
openssl ecparam -out ecparam.pem -name prime256v1
openssl genpkey -paramfile ecparam.pem -out eckey.pem

#ECDH certificate client
openssl genrsa -out rsaclient.key 2048 -aes256
openssl pkey -in eckey.pem -pubout -out ecpubkeyclient.pem
openssl req -new -key rsaclient.key -out rsaclient.csr -days 36500

#signed ECDH certificate client
openssl x509 -req -in rsaclient.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyclient.pem -out eccertclient.pem -CAcreateserial

#ECDH certificate server
openssl genrsa -out rsaserver.key 2048 -aes256
openssl pkey -in eckey.pem -pubout -out ecpubkeyserver.pem
openssl req -new -key rsaserver.key -out rsaserver.csr -days 36500

#signed ECDH certificate server
openssl x509 -req -in rsaserver.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyserver.pem -out eccertserver.pem -CAcreateserial

If I understand correctly, I will obtain: 
Root key: rootCA.key
Root certificate: rootCA.pem
ECDH client: eccertclient.pem
ECDH client private key: rsaclient.key
ECDH server: eccertserver.pem
ECDH server private key: rsaserver.key

However, when I used SSL_CTX_check_private_key to check between eccertserver.pem & rsaserver.key, an error was occured.
Is there anything I did was wrong when I use the commands.
Any help would be appriciate, thanks in advance.
Best regards,

--

Huy Cong
06 69 07 97 82
Wandercraft SAS
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux