I am following: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

But modifying it to produce ECDSA certs. So the first step is to make the private key. Jamie says:

openssl genrsa -aes256 -out private/ca.key.pem 4096

The -aes256 option supposedly password protects this private key. So after some googling I created:

openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem

But openssl ecparam does not have any option equivalent (that I can find) to -aes256

What am I missing.

And I successfully generated the root CA ECDSA cert with:

openssl req -config openssl.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

The config file is the one Jamie provides on his pages.

Also the following:

openssl ecparam -in private/ca.key.pem -text -noout

Gives me an error:

unable to load elliptic curve parameters
140598030526328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: EC PARAMETERS

Is this because I created the private key without including the parameters? I got my ECDSA tips from:


Meanwhile on to the sub-CA cert.



openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to