On 28 May 2014 08:47, Sverre Moe <sverre....@gmail.com> wrote: > When creating a ECC Certificate Signing Request I noticed the CSR from > OpenSSL was quite different from the one I generated with Java Keytool. > > Checking the CSRs with: openssl req -in ecc.csr -text -noout > > OpenSSL CSR has the following attributes: > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (521 bit) > pub: > Field Type: prime-field > Prime: > A: > B: > Generator (uncompressed): > Order: > Cofactor: 1 (0x1) > Seed: > Attributes: > a0:00 > Signature Algorithm: ecdsa-with-SHA384 > > While the Keytool CSR has the following attributes: > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (521 bit) > pub: > ASN1 OID: secp521r1 > Attributes: > Requested Extensions: > X509v3 Subject Key Identifier: > Signature Algorithm: ecdsa-with-SHA384 > > > Does that mean OpenSSL is better suited for creating ECC CSR? What are the > extra attributes for that comes with OpenSSL CSR? Also Keytool has Requested > Extensions which OpenSSL doesn't.
How did you generate your key with openssl? You are using explicit curve parameters rather than a named curve. The keytool version just names curve secp521r. This is a well known curve, with a well defined set of parameters associated with it (and therefore they don't need to be listed). The openssl version is not using a named curve and is explicitly listing out the set of parameters associated with the curve its using. Normally you would use named curves. So for example if I type: openssl ecparam -name secp256k1 -genkey -noout -out secp256-key.pem openssl req -out secp256.csr -key secp256-key.pem -new openssl req -in secp256.csr -text -noout Then I get: Certificate Request: Data: Version: 0 (0x0) Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:fc:c0:6f:68:13:ce:bf:23:f7:51:65:b2:e5:35: d1:39:1b:38:6a:3e:11:7a:07:02:06:97:56:f7:a4: b2:24:f7:a8:73:34:e5:bf:8d:b3:8a:95:71:c5:a5: 4f:b0:54:a4:d7:9f:55:4a:b2:81:10:6c:60:4b:05: 77:3b:63:f2:aa ASN1 OID: secp256k1 Attributes: a0:00 Signature Algorithm: ecdsa-with-SHA1 30:46:02:21:00:fc:89:36:23:68:ed:e5:96:a6:ec:96:2a:20: bf:45:be:ae:d0:81:f2:f8:f3:91:31:6e:ca:13:cf:8f:b2:84: 9d:02:21:00:f5:ed:e3:72:83:30:0a:f1:8c:80:7e:d9:e0:e5: fc:a6:fc:35:c0:7f:73:60:ea:c9:76:f4:5a:6a:bf:70:b5:1f Whereas if I generate my key with openssl ecparam -name secp256k1 -genkey -noout -out secp256-key.pem -param_enc explicit Then I get a csr which looks more like your one. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org