Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > On Tue, Jun 25, 2019 at 10:38:50AM -0400, Michael Richardson wrote: >> openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ >> -nodes -subj "/CN=${ULA_HOSTNAME}" \ >> -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \ >> -reqexts SAN \ >> -config /tmp/shg.ossl.cnf > This generates a key that has explicit parameters (rather than a named > curve) also in OpenSSL 1.0.2h, for example. Since you probably want > to use named curves, with 1.0.2 you'll have to generate the key separately, > and explicitly indicate that you want a named curve key. For that also > include an additional: > -pkeyopt ec_param_enc:named_curve > option. This was not on by default in OpenSSL 1.0.2. Thank you again, this worked great. (I wonder if we had that before, and it just got lost as we rebuild from source) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature