[openssl-users] Password protect EC private key

Robert Moskowitz rgm at htt-consult.com
Thu Aug 10 16:03:31 UTC 2017


I am following: 
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

But modifying it to produce ECDSA certs.  So the first step is to make 
the private key.  Jamie says:

openssl genrsa -aes256 -out private/ca.key.pem 4096

The -aes256 option supposedly password protects this private key. So 
after some googling I created:

openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem

But openssl ecparam does not have any option equivalent (that I can 
find) to -aes256

What am I missing.

And I successfully generated the root CA ECDSA cert with:

openssl req -config openssl.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
certs/ca.cert.pem

The config file is the one Jamie provides on his pages.

Also the following:

openssl ecparam -in private/ca.key.pem -text -noout

Gives me an error:

unable to load elliptic curve parameters
140598030526328:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:707:Expecting: EC PARAMETERS

Is this because I created the private key without including the 
parameters?  I got my ECDSA tips from:

https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations

Meanwhile on to the sub-CA cert.

thanks

Bob



More information about the openssl-users mailing list