[openssl-users] EDDSA certificates

Robert Moskowitz rgm at htt-consult.com
Tue Aug 8 15:12:52 UTC 2017


I have read:  https://github.com/openssl/openssl/issues/487

And I am trying to grok its meaning.  I am running Fedora24 (I need to 
buy an new SSD before upgrading to F26) which has openssl 1.0.2k.

There is a note of a patch to 1.0.2j, but talk about 1.1.1.  I have 
attempted to read

https://gist.github.com/ladar/e45e893901f30f480dd49265ba3c42c0

Is there a command line option for creating an ed25519 cert and if so 
what version?  I tried:

openssl req -new -outform PEM -out certs/$commonName.crt -newkey ed25519 
-nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509 
-extensions v3_req -subj 
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"

And got:

Unknown algorithm ed25519

thanks.

On 07/27/2017 10:45 AM, Benjamin Kaduk wrote:
> On 07/27/2017 09:18 AM, Robert Moskowitz wrote:
>> Rich,
>>
>> Meant to ask you about this at IETF.
>>
>> Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to 
>> produce these???
>>
>
> There is code to validate them, per commit 
> 4328dd41582bcdca8e4f51f0a3abadfafa2163ee.  I didn't look hard enough 
> to find how to generate them, but it ought to be there too.
>
>> And, relatedly, what do you think about CBOR encoding rather than 
>> ASN.1?  Kill ASN.1 in constrained devices and save on transmission 
>> costs?
>
> It seems hard to shift a big ecosystem and introduce risk of 
> incompatibility, but I haven't really thought about it.
>
> -Ben



More information about the openssl-users mailing list