Dear All, I have installed and configured OpenXPKI with ECC using CURVE_NAME prime239v1 and performed all the necessary modifications suggested in the forum...CA certificate is 239-bit ECC based. Then i tried to generate an ECC Web server certificate. The certificate was successfully generated. But the Public key of that Certificate is of RSA-2048 bits.
CA CERTIFICATE OUTPUT(just a part......see the ca_certificate_output.txt for
complete reference)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=AU, O=Cynops, OU=Cynops, CN=Cynops.de
Validity
Not Before: Dec 11 05:00:58 2009 GMT
Not After : Dec 9 05:00:58 2019 GMT
Subject: C=AU, O=Cynops, OU=Cynops, CN=Cynops.de
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (239 bit)
WEB SERVER CERTIFICATE OUTPUT(just a part......see the
web_server_certificate_output.txt for complete reference)
Certificate:
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=AU, O=Cynops, OU=Cynops, CN=Cynops.de
Subject: C=AU, DC=Cynops, O=Cynops, OU=Cynops, CN=192.168.200.64
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:00:4e:bb:1f:c9:bd:ca:38:49:b8:64:cc:3f:
8e:3f:82:82:79:3f:f1:ff:b0:9d:6e:10:de:78:61:
a8:15:5c:45:a1:ea:60:61:4d:c0:28:b0:c8:ad:4e:
fe:58:bb:ed:65:78:ad:79:55:ee:7c:ec:11:da:7e:
ec:91:f4:85:bf:d0:47:e1:71:7e:26:c5:e7:24:3b:
93:6e:34:0b:1e:d4:ba:d5:35:a5:dd:23:0d:65:f4:
8c:45:7c:c3:d5:5d:81:eb:a8:c1:7a:7a:27:c2:c1:
2d:3a:0d:80:a4:c3:5d:76:5a:fa:0f:a2:64:19:f9:
d0:80:17:fe:6e:ab:ae:52:22:37:94:f3:ae:39:51:
c0:e4:a8:33:a2:d4:0d:41:85:7b:51:3a:00:30:46:
d7:54:7c:50:b3:db:c3:e4:d6:04:43:2d:50:4d:06:
7c:a5:3a:5c:02:a5:36:bf:09:19:a6:4c:55:e5:e3:
af:15:a6:19:43:e2:da:1a:d9:d3:86:95:99:0a:5e:
1c:3a:3d:fa:a9:ac:2d:a6:41:e9:ae:b5:53:ad:05:
86:e0:aa:c9:a9:02:a1:e8:86:8b:ff:a1:ca:dd:6e:
7f:d6:48:cb:46:f4:69:c0:64:97:a5:42:45:fa:07:
d5:6f:a7:c1:c0:f0:2a:ee:a8:80:e6:2d:d1:55:7c:
ac:7b
i have seen many sites containing completely ECC based certificates e.g
https://ecc.fedora.redhat.com:8445/ but OpenXPKI generates different
certificate.
I tried this with all ECC curves supported by OpenXPKI but get the same
certificate.For reference i am also attaching my all certificate files
including the CA certificate with all output of certificates by OpenSSL
commands. I think the Web server must have ECC key instead of RSA key.
Best Regards
Scott Thomas
web_server_certificate.p12
Description: application/pkcs12
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ef:a7:ab:1b:8a:84:45:17
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=AU, O=Cynops, OU=Cynops, CN=Cynops.de
Validity
Not Before: Dec 11 05:00:58 2009 GMT
Not After : Dec 9 05:00:58 2019 GMT
Subject: C=AU, O=Cynops, OU=Cynops, CN=Cynops.de
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (239 bit)
pub:
04:54:9e:f3:ed:ad:3c:2f:4b:97:e2:f2:df:81:5e:
b1:c3:82:61:78:31:f7:a8:fd:c8:0d:60:e8:0e:83:
cc:0b:5c:39:b6:a2:53:b3:c9:26:4c:b7:0f:fa:37:
a2:78:53:db:81:8d:a1:e9:7e:84:cd:f3:fe:b7:88:
19
ASN1 OID: prime239v1
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
1C:03:27:3D:F3:12:3E:7F:64:1B:C9:95:A5:42:58:86:83:BA:1E:A3
Signature Algorithm: ecdsa-with-SHA1
30:40:02:1e:1c:c4:b0:24:4a:b5:f1:41:d1:d2:c5:78:64:0c:
c7:16:55:d4:1a:91:da:89:14:02:80:3a:e1:52:4d:17:02:1e:
79:88:b2:48:7d:83:9d:9c:23:7c:d1:8c:78:1e:07:e3:b2:35:
0b:90:37:34:8d:22:03:2a:37:a3:72:f2
cacert.pem
Description: Binary data
web_server_certificate.pem
Description: Binary data
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:3f:11:15:61:43:59:56:55:ff
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=AU, O=Cynops, OU=Cynops, CN=Cynops.de
Validity
Not Before: Dec 11 05:09:36 2009 GMT
Not After : Mar 11 05:09:36 2010 GMT
Subject: C=AU, DC=Cynops, O=Cynops, OU=Cynops, CN=192.168.200.64
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:00:4e:bb:1f:c9:bd:ca:38:49:b8:64:cc:3f:
8e:3f:82:82:79:3f:f1:ff:b0:9d:6e:10:de:78:61:
a8:15:5c:45:a1:ea:60:61:4d:c0:28:b0:c8:ad:4e:
fe:58:bb:ed:65:78:ad:79:55:ee:7c:ec:11:da:7e:
ec:91:f4:85:bf:d0:47:e1:71:7e:26:c5:e7:24:3b:
93:6e:34:0b:1e:d4:ba:d5:35:a5:dd:23:0d:65:f4:
8c:45:7c:c3:d5:5d:81:eb:a8:c1:7a:7a:27:c2:c1:
2d:3a:0d:80:a4:c3:5d:76:5a:fa:0f:a2:64:19:f9:
d0:80:17:fe:6e:ab:ae:52:22:37:94:f3:ae:39:51:
c0:e4:a8:33:a2:d4:0d:41:85:7b:51:3a:00:30:46:
d7:54:7c:50:b3:db:c3:e4:d6:04:43:2d:50:4d:06:
7c:a5:3a:5c:02:a5:36:bf:09:19:a6:4c:55:e5:e3:
af:15:a6:19:43:e2:da:1a:d9:d3:86:95:99:0a:5e:
1c:3a:3d:fa:a9:ac:2d:a6:41:e9:ae:b5:53:ad:05:
86:e0:aa:c9:a9:02:a1:e8:86:8b:ff:a1:ca:dd:6e:
7f:d6:48:cb:46:f4:69:c0:64:97:a5:42:45:fa:07:
d5:6f:a7:c1:c0:f0:2a:ee:a8:80:e6:2d:d1:55:7c:
ac:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://localhost/cacert.crt
OCSP - URI:http://ocsp.openxpki.org/
X509v3 Authority Key Identifier:
keyid:1C:03:27:3D:F3:12:3E:7F:64:1B:C9:95:A5:42:58:86:83:BA:1E:A3
DirName:/C=AU/O=Cynops/OU=Cynops/CN=Cynops.de
serial:EF:A7:AB:1B:8A:84:45:17
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://localhost/cacrl.crt
Full Name:
URI:ldap://localhost/cn=My%20CA,dc=OpenXPKI,dc=org
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Key Encipherment
Netscape CA Revocation Url:
http://localhost/cacrl.crt
Netscape Revocation Url:
http://localhost/cacrl.crt
Netscape Cert Type:
SSL Server
Netscape Comment:
This is a TLS Server certificate.\n Generated with
OpenXPKI trustcenter software.
X509v3 Certificate Policies:
Policy: 1.2.3.4
X509v3 Subject Alternative Name:
IP Address:192.168.200.64
X509v3 Subject Key Identifier:
D0:8C:EE:58:BE:29:BE:9A:9E:FF:F9:4D:C3:3D:13:93:D2:79:CD:DF
Signature Algorithm: ecdsa-with-SHA1
30:40:02:1e:0c:1a:a9:42:73:c9:bc:4e:f8:ec:83:10:53:62:
86:f4:be:b6:3c:28:73:86:0a:e6:5f:bd:b8:c7:fa:8b:02:1e:
60:f2:9e:d1:7f:de:06:5b:5b:d2:d4:34:05:0b:76:3c:f0:b2:
e8:47:20:61:aa:b0:1e:cc:17:d0:bd:90
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
