openssl ecparam -genkey -name "name_of_curve" -out eckey.pem
where "name_of_curve" is name of named curve, list of available curves is at:
openssl ecparam -list_curves
That genkey will generate private key.
That kay can be used to sign data using ECDSA.
If necessary, delf signed certificate could be made by:
openssl req -x509 -new -key eckey.pem -out eccert.crt
It will ask questions about what to put in certificate (country, organization, common name, etc), that depends on your openssl.cnf file.
ECDH requires ECDH parameters, there usually are defaults. That is a part of server configuration. ECDH parameters basically consists of one selected named curve (from the same set as when generating ECDSA key). ECDH is used only if TLS handshake has selected a ECDH ciphersuite.
DH requires DH parametrs, there usually are defaults. That is a part of server configuration. DH parameters can be generated by:
openssl gendh -out dh.pem "size"
where size is "size" of parameters (2048 is considered secure), large sizes takes more time to generate. That file can be specified in server configuration. DH is used only if TLS handshake has selected a DH ciphersuite.
Of these ciphersuites, RC4-MD5 and EXP-DES-CBS-SHA uses RSA key exchange and does not use (and cannot use) DH or ECDH, and also cannot use certificate with ECDSA key (such as generated above).
EDH-RSA-DES-CBC3-SHA uses DH key exchange and RSA certificate (it will not work with ECDSA certificate)
ECDHE-ECDSA-AES256-SHA uses ECDH key exchange and will use ECDSA certificate, it will not use DH.
Citējot 櫻井英明 <hideaki.s...@gmail.com>:
HelloThanks for good advice.I would like to know which command that I need to use to make ECDSA key.or how to make Ans I would like to know which command that I need to use dh.I'm so sorry but would you show me the process about following ?EDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-AES256-SHA
RC4-MD5
EXP-DES-CBS-SHA
Thanks2011/8/30 yyy <y...@inbox.lv>
Generally ANY CA signature works with ANY ciphersuite. They are not related at all.
You mean:
Make a CA, which can sign a certificate, which can be used with these all ciphersuites?
In that case any signature method can be used. (ECDSA and RSA ciphersuites will not work with one certificate, but CA should be ok). This should work with any ciphersuite. In this case you will have to make a self signed (root) certificate for CA. It can use any type of public key (either RSA or ECC).
Or, making a certificate, which can be used with these specified ciphersuites?
In that case, any signature method can be used (it depends on type of CA key), type of signature on certificate should not affect selection of ciphersuites, useable with that certificate (these only are affected by type of certificates public key).
Or something else?______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.orgHello
Sorry for confuse you.My exactly purpose are to make ca signatures about following ciphersuites.
EDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-AES256-SHA
RC4-MD5
EXP-DES-CBS-SHAI think my question were confused because I did not understand what command to use.
Please do not care what command that I used.
Would you please teach me what command need to use and how to use ?Thanks
-- Tavs bezmaksas pasts Inbox.lv
