Last active
July 25, 2024 07:03
-
-
Save marta-krzyk-dev/83168c9a8e985e5b3b1b14a98b533b9c to your computer and use it in GitHub Desktop.
Create self-signed ECDSA (ECC) certificate with private key inside in openssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- CREATE SELF-SIGNED ECDSA CERTIFICATE WITH PRIVATE KEY INSIDE ---- | |
| 1. Open openssl.exe. | |
| 2. If you haven't chosen a curve, you can list them with this command: | |
| ecparam -list_curves | |
| I picked sect571r1 for this example. Use this to generate an EC private key if you don't have one already: | |
| ECDSA 384 - brainpoolP384r1 | |
| ECDSA 512 - sect571r1 | |
| 3. Create private-key.pem | |
| ecparam -name brainpoolP512r1 -genkey -param_enc explicit -out private-key.pem | |
| ecparam -genkey -name secp521r1 -noout -out private-key.pem | |
| 3. Create certificate in certificate.pem. | |
| req -new -x509 -key private-key.pem -out certificate.pem -days 900000 -subj "/C=PL/ST=Silesia/L=Katowice/O=MyOrganization/CN=CommonName" | |
| 4. You can inspect the files in the console: | |
| ecparam -in private-key.pem -text -noout | |
| x509 -in certificate.pem -text -noout | |
| 5. Combine private key and certificate into a new certificate-private.pem file. Open up command line, move to the folder where your files exist. | |
| cat private-key.pem certificate.pem > certificate-private.pem | |
| 6. Create p12 / p7b / pfx certificate from certificate-private.pem. | |
| pkcs12 -export -inkey private-key.pem -in certificate-private.pem -out certificate-private.pfx | |
| pkcs12 -export -inkey private-key.pem -in certificate-private.pem -out certificate-private.p12 | |
| pkcs12 -export -inkey private-key.pem -in certificate-private.pem -out certificate-private.p7b | |
| The pfx file's icon should be an opened letter with yellow key. | |
| --- IMPORT THE CERTIFICATE TO YOUR MACHINE (for Windows)---- | |
| 7. Click "Start" and open mmc Microsoft Management Console as Administrator. | |
| 8. Choose File -> Add/remove snap-in. | |
| 9. Choose "Certificates" and "Add", Choose "Local machine". | |
| 10. Open "Personal" or "Trusted Root..." and choose "Certificates". | |
| 11. Right-click "Certificates" -> "All tasks" -> "Import" and choose the file. | |
| 12. The certificate should come up in the list and the icon should have a key. | |
| Double click to show details. In "General" tab you should see "You have a private key that corresponds to this certificate". |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- CONVERT CERTIFICATE TO ANOTHER FORMAT ---- | |
| Convert crt to pfx. | |
| pkcs12 -export -out certificate.pfx -inkey private.key -in public.crt | |
| --- EXPORT KEYS FROM CERTIFICATE ---- | |
| Export private key: | |
| pkcs12 -in certificate-private.pfx -nocerts -nodes -out sample.key | |
| Export certificate: | |
| pkcs12 -in certificate-private.pfx -clcerts -nokeys -out publickey.pem | |
| pkcs12 -in certificate-private.pfx -nokeys -out public.key -nodes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
May be helpful: one liner to generate a EC selfsigned cert
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 3650
-nodes -keyout example.com.key -out example.com.crt -subj "/CN=example.com"
-addext "subjectAltName=DNS:example.com,DNS:*.example.com"