Wednesday, November 19, 2014

Simple EC CA script for use with OpenSSL

For some testing purposes, I need to create some elliptic-curve certificates. There is no script from OpenSSL that could create the certificate directly. So I modified the supplied CA.sh to create a ecCA.sh.

The usage is almost the same as CA.sh, plus some EC specific commands.
ecCa.sh -h
usage: ecCA.sh [-curve name] -list-curves|-newcert|-newreq|-newreq-nodes|-newca|-sign|-pkcs12|-verify

Use -list-curves to list out all the supported curves. The default CA curve is secp521r1 and default certificate curve is prime256v1.

Here are some simple step to create a EC CA and a signed EC certificate.
  1. Run command "ecCA.sh -newca", which will then ask you a serious of questions to create your CA certificate. You could use the default but do remember to enter a common name for the cert, otherwise you won't be able to create one. You will have a demoCA subdirectory created under the current directory.
  2. Run "ecCA.sh -newreq", and answer the questions, you will have a new key and certificate request with name "newkey.pem" and "newreq.pem".
  3. Run "ecCA.sh -sign", and follow the instruction, you will have a signed certificate "newcert.pem".
  4. Run "ecCA.sh -pkcs12", will create a PKCS12 formated file "newcert.p12", which could be used to import the certificate into browser.
You could download the ecCA.sh script here.

No comments: