[openssl-users] Password protect EC private key
Robert Moskowitz
rgm at htt-consult.com
Thu Aug 10 16:03:31 UTC 2017
I am following:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
But modifying it to produce ECDSA certs. So the first step is to make
the private key. Jamie says:
openssl genrsa -aes256 -out private/ca.key.pem 4096
The -aes256 option supposedly password protects this private key. So
after some googling I created:
openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem
But openssl ecparam does not have any option equivalent (that I can
find) to -aes256
What am I missing.
And I successfully generated the root CA ECDSA cert with:
openssl req -config openssl.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
The config file is the one Jamie provides on his pages.
Also the following:
openssl ecparam -in private/ca.key.pem -text -noout
Gives me an error:
unable to load elliptic curve parameters
140598030526328:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:707:Expecting: EC PARAMETERS
Is this because I created the private key without including the
parameters? I got my ECDSA tips from:
https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations
Meanwhile on to the sub-CA cert.
thanks
Bob
More information about the openssl-users
mailing list