[openssl-users] Generate and use ECDH certificate on a simple server-client model

Huy Cong Vu huy-cong.vu at wandercraft.eu
Mon Oct 31 17:08:56 UTC 2016

I'm trying to establish a TLS/SSL connection between 2 back-end using OpenSSL library. 
The algorithm I would like to use is ECDHE-RSA-AES256-SHA. 
At first, I want to generate 2 pairs of ECDH-RSA certificate/key, 1 for the server & 1 for the client using a root CA as a signed authority. To simplify everthing, I want to insert a fixed ECDH parameters into the RSA certificate. For that I came up with the following solution 
Here are the commands I used to generate these 2 certificate: 

#Root CA 
openssl genrsa -out rootCA.key 2048 -aes256 
openssl req -x509 -new -nodes -key rootCA.key -days 36500 -out rootCA.pem 

#ECDH params 
openssl ecparam -out ecparam.pem -name prime256v1 
openssl genpkey -paramfile ecparam.pem -out eckey.pem 

#ECDH certificate client 
openssl genrsa -out rsaclient.key 2048 -aes256 
openssl pkey -in eckey.pem -pubout -out ecpubkeyclient.pem 
openssl req -new -key rsaclient.key -out rsaclient.csr -days 36500 

#signed ECDH certificate client 
openssl x509 -req -in rsaclient.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyclient.pem -out eccertclient.pem -CAcreateserial 

#ECDH certificate server 
openssl genrsa -out rsaserver.key 2048 -aes256 
openssl pkey -in eckey.pem -pubout -out ecpubkeyserver.pem 
openssl req -new -key rsaserver.key -out rsaserver.csr -days 36500 

#signed ECDH certificate server 
openssl x509 -req -in rsaserver.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyserver.pem -out eccertserver.pem -CAcreateserial 

If I understand correctly, I will obtain: 
Root key: rootCA.key 
Root certificate: rootCA.pem 
ECDH client: eccertclient.pem 
ECDH client private key: rsaclient.key 
ECDH server: eccertserver.pem 
ECDH server private key: rsaserver.key 

However, when I used SSL_CTX_check_private_key to check between eccertserver.pem & rsaserver.key, an error was occured. 
Is there anything I did was wrong when I use the commands. 
Any help would be appriciate, thanks in advance. 
Best regards, 


Huy Cong 
06 69 07 97 82 
Wandercraft SAS 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161031/16848491/attachment.html>

More information about the openssl-users mailing list