|
Hi,
I am confused about the two different ways I can generate an EC private key and why this is causing me problems with the test s_client s_server applications
So, I am using the command below to generate a private key, then using this to create
a certificate to work with openssl s_client s_server.
openssl ecparam -name secp384r1 -genkey -out privkey.pem (1)
I then create the .csr with the following two commands,
openssl req -key privkey.pem -out pub.csr -new
(2)
openssl x509 -req -in pub.csr -signkey privkey.pem
-out pub.crt (3)
This works with s_server/s_client.
But, when I generate a key like this:
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -out privkey.pem
(4)
If I now create a signed .crt with (2) and (3) above, then use this pair with openssl s_server
it does not negotiate a cipher suite and it doesn't work.
Using this url (https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations) It
turns out, if I take the key generated by (4) above, and convert it to pk8 with
openssl pkcs8 -topk8 -nocrypt -in privkey_ec.pem -out privkey.pem
If I now use this key to create the .crt and use this key pair with openssl s_server it works.
My question is why does the format of the private key make any difference. Surely openssl can decode the key in any supported format, after all it created it, and all
the required information must be in it, as it is able to convert to pk8 format that works.
Note:
I am running openssl server/client like this..
openssl.exe s_server -tls1_2 -key privkey.pem -cert pub.crt -debug
and
openssl.exe s_client -tls1_2
Thanks!
|
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
