OpenSSL: How to generate a self-signed certificate and key with Elliptic Curves

The use of Elliptic Curves for cryptography is becoming more widely used in today’s internet. Basically, it allows for the same type of security as good old RSA, but with greater speed due to the smaller key sizes it uses compared to an RSA key. You can also generate a key based on the newer cryptography standard through OpenSSL like you would with an RSA key. Here’s how you can do it.

First you will need OpenSSL. If you are on a Linux-based machine, then you are good to go as it has most likely been included in your distribution. For Windows users, you will need to download one of many available binaries here.

First, we are going to generate our ECC key by running this command:

openssl ecparam -name secp256r1 -genkey -out ec_key.pem

For this demonstration, I will be using the secp256r1 curve. This should prove to be sufficient, in some cases you may get the message using curve name prime256v1 instead of secp256r1 which is normal. You can run this command as well to display a list of available to use curves otherwise:

openssl ecparam --list_curves

Now are going to generate a certificate based on the key we’ve just generated like so:

openssl req -new -x509 -key ec_key.pem -sha256 -nodes -out ec_crt.crt -days 365

This will make a request to generate an x509 certificate using the ECC key ec_key.pem as our private key. We are using SHA256 to encrypt the certificate and -nodes for no password(recommended for HTTPS). The certificate will expire 365 days from now. Of course you will be prompted to fill out some information before finishing the process.

To make things easier to manage, you can combine both the key and cert into one file:

cat ec_key.pem ec_crt.crt > ec.pem

You can also verify information contained within the file:

openssl x509 -in ec.pem -noout -text

If everything went according to plan, then you should see ecdsa-with-SHA256 as the signature algorithm.