> and how do I generate an ECDSA certificate? To generate a selfsigned ECDSA cert the same ways you do RSA, except use EC instead of RSA.
- use req -new with EC key or -newkey with EC parms and -x509 to generate selfsigned cert directly. - use req -new with key or -newkey to generate CSR, then x509 -req -signkey to create selfsigned cert Set other attributes as appropriate. If you set KeyUsage, it must include digSign to use this cert for ECDHE-ECDSA. (KU for RSA should include digSign or encrypt depending on the suites to be used, but sometimes isn't enforced.) Use a curve supported by the peers you will communicate with. To obtain a CA-signed ECDSA cert the same ways as RSA, except EC instead of RSA, and harder. - generate CSR for EC key as above, for suitable curve - find a CA that issues EC certs, with usage allowing at least digSign=ECDSA. I haven't found any yet. - submit CSR to CA, prove your identity, pay fees. - receive cert and any chain cert(s) from CA. <snip> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
