[openssl-users] Generate and use ECDH certificate on a simple server-client model
Huy Cong Vu
huy-cong.vu at wandercraft.eu
Mon Oct 31 17:08:56 UTC 2016
I'm trying to establish a TLS/SSL connection between 2 back-end using OpenSSL library.
The algorithm I would like to use is ECDHE-RSA-AES256-SHA.
At first, I want to generate 2 pairs of ECDH-RSA certificate/key, 1 for the server & 1 for the client using a root CA as a signed authority. To simplify everthing, I want to insert a fixed ECDH parameters into the RSA certificate. For that I came up with the following solution
Here are the commands I used to generate these 2 certificate:
openssl genrsa -out rootCA.key 2048 -aes256
openssl req -x509 -new -nodes -key rootCA.key -days 36500 -out rootCA.pem
openssl ecparam -out ecparam.pem -name prime256v1
openssl genpkey -paramfile ecparam.pem -out eckey.pem
#ECDH certificate client
openssl genrsa -out rsaclient.key 2048 -aes256
openssl pkey -in eckey.pem -pubout -out ecpubkeyclient.pem
openssl req -new -key rsaclient.key -out rsaclient.csr -days 36500
#signed ECDH certificate client
openssl x509 -req -in rsaclient.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyclient.pem -out eccertclient.pem -CAcreateserial
#ECDH certificate server
openssl genrsa -out rsaserver.key 2048 -aes256
openssl pkey -in eckey.pem -pubout -out ecpubkeyserver.pem
openssl req -new -key rsaserver.key -out rsaserver.csr -days 36500
#signed ECDH certificate server
openssl x509 -req -in rsaserver.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyserver.pem -out eccertserver.pem -CAcreateserial
If I understand correctly, I will obtain:
Root key: rootCA.key
Root certificate: rootCA.pem
ECDH client: eccertclient.pem
ECDH client private key: rsaclient.key
ECDH server: eccertserver.pem
ECDH server private key: rsaserver.key
However, when I used SSL_CTX_check_private_key to check between eccertserver.pem & rsaserver.key, an error was occured.
Is there anything I did was wrong when I use the commands.
Any help would be appriciate, thanks in advance.
06 69 07 97 82
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users