Elliptic Curve Cryptography (ECC for short) is an asymmetric key pair that is used for encryption and decryption of data. ECC offers a few advantages over RSA. ECC keys are smaller in size, while providing a security equivalent to that of RSA - reducing the resources needed and providing better performance for media applications, VPN connections and many other bandwidth applications. This article will show you how to create a self-signed EEC certificate on Ubuntu 14.04. This article also works on many other distributions of Linux that have OpenSSL installed.
To ensure that everything works out well, it is best to update your system to use the latest and most stable software available. Run the following commands:
apt-get update apt-get dist-upgrade
We will be generating a private key using the prime256v1 ECC curve.
openssl ecparam -out private.key -name prime256v1 -genkey
Now, use OpenSSL to generate a CSR (Certificate Signing Request) for signing the certificate. We will generate the CSR with 512-bit SHA2. Note that it is recommended to use 256-bit or better. SHA-1 is not recommended to be used anymore and soon will be deprecated. SHA-1 will also no longer be accepted by CAs (Certificate Authorities).
openssl req -new -key private.key -out certificate.csr -sha512
It will give you a list of fields that need to be filled in. If you are using a domain, make sure that the
Common Name is set to that domain name. The
'extra' attributes can be left blank.
You will now create and sign your certificate from the CSR that you previously created.
openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crt -sha512
If no error occurs, then you have successfully made an ECC certificate.
If you wish to use the certificate publicly, or in production, then it is recommended to pass the CSR to your CA to have them issue a signed certificate to you. Also, keep the
private.key in a secret and secure location within your server. Make sure that the file has read-only permissions. If you lose your key, then you will have to recreate the key and the CSR to have a new certificate issued to you.