Hi, I'm trying to establish a TLS/SSL connection between 2 back-end using OpenSSL library. The algorithm I would like to use is ECDHE-RSA-AES256-SHA. At first, I want to generate 2 pairs of ECDH-RSA certificate/key, 1 for the server & 1 for the client using a root CA as a signed authority. To simplify everthing, I want to insert a fixed ECDH parameters into the RSA certificate. For that I came up with the following solution Here are the commands I used to generate these 2 certificate:
#Root CA openssl genrsa -out rootCA.key 2048 -aes256 openssl req -x509 -new -nodes -key rootCA.key -days 36500 -out rootCA.pem #ECDH params openssl ecparam -out ecparam.pem -name prime256v1 openssl genpkey -paramfile ecparam.pem -out eckey.pem #ECDH certificate client openssl genrsa -out rsaclient.key 2048 -aes256 openssl pkey -in eckey.pem -pubout -out ecpubkeyclient.pem openssl req -new -key rsaclient.key -out rsaclient.csr -days 36500 #signed ECDH certificate client openssl x509 -req -in rsaclient.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyclient.pem -out eccertclient.pem -CAcreateserial #ECDH certificate server openssl genrsa -out rsaserver.key 2048 -aes256 openssl pkey -in eckey.pem -pubout -out ecpubkeyserver.pem openssl req -new -key rsaserver.key -out rsaserver.csr -days 36500 #signed ECDH certificate server openssl x509 -req -in rsaserver.csr -CAkey rootCA.key -CA rootCA.pem -force_pubkey ecpubkeyserver.pem -out eccertserver.pem -CAcreateserial If I understand correctly, I will obtain: Root key: rootCA.key Root certificate: rootCA.pem ECDH client: eccertclient.pem ECDH client private key: rsaclient.key ECDH server: eccertserver.pem ECDH server private key: rsaserver.key However, when I used SSL_CTX_check_private_key to check between eccertserver.pem & rsaserver.key, an error was occured. Is there anything I did was wrong when I use the commands. Any help would be appriciate, thanks in advance. Best regards, -- Huy Cong 06 69 07 97 82 Wandercraft SAS
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users