Hi Jefferson, > 2 - NOT Working scenario: Requesting an EC certificate - But I don't see > anything suspicious in the logs - > What I do: > tail -f /var/log/openxpki/*.log > Then I ask OpenXPKI to generate a ec certificate (testec01.crt) > Key Algorithm: Elliptic Curve - Key Encryption Method: AES 256bit - Curve > name: > I18N_OPENXPKI_UI_KEY_CURVE_NAME_PRIME256V1 > > Then simulated a web server with testec01.crt (this time another port to let > the other one running): > openssl s_server -cert testec01.crt -key testec01.pem -www -accept 5443
Your problem is that the EC server certificate does not contain the key usage keyAgreement required for a ECDH TLS key exchange. EC certificates cannot be used for encryption, hence the keyAgreement KU is required and the keyEncipherment key usage in the certificate is redundant/not usable. Memo to self: we should add the keyAgreement KU to the sample profiles. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
