[openssl-users] EDDSA certificates
Robert Moskowitz
rgm at htt-consult.com
Tue Aug 8 15:12:52 UTC 2017
I have read: https://github.com/openssl/openssl/issues/487
And I am trying to grok its meaning. I am running Fedora24 (I need to
buy an new SSD before upgrading to F26) which has openssl 1.0.2k.
There is a note of a patch to 1.0.2j, but talk about 1.1.1. I have
attempted to read
https://gist.github.com/ladar/e45e893901f30f480dd49265ba3c42c0
Is there a command line option for creating an ed25519 cert and if so
what version? I tried:
openssl req -new -outform PEM -out certs/$commonName.crt -newkey ed25519
-nodes -keyout private/$commonName.key -keyform PEM -days 3650 -x509
-extensions v3_req -subj
"/countryName=$countryName/stateOrProvinceName=$stateOrProvinceName/localityName=$localityName/organizationName=$organizationName/organizationalUnitName=$organizationalUnitName/commonName=$commonName/emailAddress=$emailAddress"
And got:
Unknown algorithm ed25519
thanks.
On 07/27/2017 10:45 AM, Benjamin Kaduk wrote:
> On 07/27/2017 09:18 AM, Robert Moskowitz wrote:
>> Rich,
>>
>> Meant to ask you about this at IETF.
>>
>> Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to
>> produce these???
>>
>
> There is code to validate them, per commit
> 4328dd41582bcdca8e4f51f0a3abadfafa2163ee. I didn't look hard enough
> to find how to generate them, but it ought to be there too.
>
>> And, relatedly, what do you think about CBOR encoding rather than
>> ASN.1? Kill ASN.1 in constrained devices and save on transmission
>> costs?
>
> It seems hard to shift a big ecosystem and introduce risk of
> incompatibility, but I haven't really thought about it.
>
> -Ben
More information about the openssl-users
mailing list