On 28 May 2014 11:06, Sverre Moe <[email protected]> wrote:
> I used the following openssl command for my ECC private key and CSR.
> openssl ecparam -name secp521r1 -genkey -param_enc explicit -out
> private-key.pem
> openssl req -new -key private-key.pem -nodes -sha384 -out ecc_clientReq.csr
>
> So what is the point of this switch?
> -param_enc explicit
> Can't find any information about this on
> https://www.openssl.org/docs/apps/req.html
>
Well, as its a switch for ecparam not req, its not document on the req page! :-)

It is documented here:

http://www.openssl.org/docs/apps/ecparam.html

I suggest you do not use it, and go with the default of named curves.
In most circumstances that is what you really want. In theory you can
use your own custom curve, in which case you would have to use
explicit parameters. But in practice no one really does that -
everyone just uses standard named curves.



> Using Java keytool:
> keytool -genkeypair -alias tomcat -keyalg EC -keysize 521 -validity 730
> -keystore .keystore
> keytool -certreq -alias kspt -file ecc_clientReq.csr -keystore .keystore
> Keytool maps the keysize to the named curve. In this case its secp521r1.
>
>
> While we are on the subject on ECC. Could my ECC certificate work with
> browsers that does only support RSA authentication, like TLS_ECDHE_RSA or
> TLS_DHE_RSA?

No. You will need an RSA certificate for this.

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to