Re: ECDSA curves and certificates in 1.0.2X vs 1.1.x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
    > On Tue, Jun 25, 2019 at 10:38:50AM -0400, Michael Richardson wrote:

    >> openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
    >> -nodes -subj "/CN=${ULA_HOSTNAME}" \
    >> -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \
    >> -reqexts SAN \
    >> -config /tmp/shg.ossl.cnf

    > This generates a key that has explicit parameters (rather than a named
    > curve) also in OpenSSL 1.0.2h, for example.  Since you probably want
    > to use named curves, with 1.0.2 you'll have to generate the key separately,
    > and explicitly indicate that you want a named curve key.  For that also
    > include an additional:

    > -pkeyopt ec_param_enc:named_curve

    > option.  This was not on by default in OpenSSL 1.0.2.

Thank you again, this worked great.
(I wonder if we had that before, and it just got lost as we rebuild from source)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@xxxxxxxxxxxx  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux