DEV Community

Scott Brady
Scott Brady

Posted on • Originally published at scottbrady91.com

Creating Elliptical Curve Keys using OpenSSL

Recently, I have been using OpenSSL to generate private keys and X509 certificates for Elliptical Curve Cryptography (ECC) and then using them in ASP.NET Core for token signing.

In this article, I’m going to show you how to use OpenSSL to generate private and public keys on the curve of your choice.

tl;dr - OpenSSL ECDSA Cheat Sheet

# find your curve
openssl ecparam -list_curves

# generate a private key for a curve
openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem

# generate corresponding public key
openssl ec -in private-key.pem -pubout -out public-key.pem

# optional: create a self-signed certificate
openssl req -new -x509 -key private-key.pem -out cert.pem -days 360

# optional: convert pem to pfx
cat private-key.pem cert.pem > cert-with-private-key
openssl pkcs12 -export -inkey private-key.pem -in cert-with-private-key -out cert.pfx
Enter fullscreen mode Exit fullscreen mode

Generating an Elliptical Curve Private Key Using OpenSSL

To start, you will need to choose the curve you will be working with. You can use the following command to see a list of supported curve names and descriptions.

openssl ecparam -list_curves
Enter fullscreen mode Exit fullscreen mode

In this example, I am using prime256v1 (secp256r1), which is suitable for JWT signing; this is the curve used for JOSE’s ES256.

You can now generate a private key:

openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem
Enter fullscreen mode Exit fullscreen mode

This should give you a PEM file containing your EC private key, which looks something like the following:

----------BEGIN EC PRIVATE KEY-----
MHcCAQEEIKEubpBiHkZQYlORbCy8gGTz8tzrWsjBJA6GfFCrQ98coAoGCCqGSM49
AwEHoUQDQgAEOr6rMmRRNKuZuwws/hWwFTM6ECEEaJGGARCJUO4UfoURl8b4JThG
t8VDFKeR2i+ZxE+xh/wTBaJ/zvtSqZiNnQ==
----------END EC PRIVATE KEY-----
Enter fullscreen mode Exit fullscreen mode

Creating an EC Public Key from a Private Key Using OpenSSL

Now that you have your private key, you can use it to generate another PEM, containing only your public key.

openssl ec -in private-key.pem -pubout -out public-key.pem
Enter fullscreen mode Exit fullscreen mode

This should give you another PEM file, containing the public key:

----------BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOr6rMmRRNKuZuwws/hWwFTM6ECEE
aJGGARCJUO4UfoURl8b4JThGt8VDFKeR2i+ZxE+xh/wTBaJ/zvtSqZiNnQ==
----------END PUBLIC KEY-----
Enter fullscreen mode Exit fullscreen mode

Creating an EC Self-Signed Certificate Using OpenSSL

Now that you have a private key, you could use it to generate a self-signed certificate. This is not required, but it allows you to use the key for server/client authentication, or gain X509 specific functionality in technologies such as JWTs and SAML.

openssl req -new -x509 -key private-key.pem -out cert.pem -days 360
Enter fullscreen mode Exit fullscreen mode

This will again generate another PEM file, this time containing the certificate created by your private key:

----------BEGIN CERTIFICATE-----
MIIB4DCCAYWgAwIBAgIUH53ssiPt4JEGx+VJyntCpHL+TdAwCgYIKoZIzj0EAwIw
RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA3MTgxMTE4NDNaFw0yMTA3MTMx
MTE4NDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAAQ6vqsyZFE0q5m7DCz+FbAVMzoQIQRokYYBEIlQ7hR+hRGXxvglOEa3
xUMUp5HaL5nET7GH/BMFon/O+1KpmI2do1MwUTAdBgNVHQ4EFgQU9yjFBqAZOMv+
cD6a3KHTWuYrcFEwHwYDVR0jBBgwFoAU9yjFBqAZOMv+cD6a3KHTWuYrcFEwDwYD
VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAwCpA5Nx083qqUqU6LUd0
vzZLK4etuInxNvXohXH5LiACIQDSI63J4DiN3dq2sPPLw5iQi9MMefcV1iAySbKT
B9BaAw==
----------END CERTIFICATE-----
Enter fullscreen mode Exit fullscreen mode

You could leave things there, but if you are working on Windows, you may prefer a PFX file that contains both the certificate and the private key for you to export and use.

You can do this by first concatenating your private key and certificate into a single file:

cat private-key.pem cert.pem > cert-with-private-key
Enter fullscreen mode Exit fullscreen mode

And then using OpenSSL to create a PFX file:

openssl pkcs12 -export -inkey private-key.pem -in cert-with-private-key -out cert.pfx
Enter fullscreen mode Exit fullscreen mode

OpenSSL will ask you to create a password for the PFX file. Feel free to leave this blank.

This should leave you with a certificate that Windows both install and export the private key from.

A certificate, opened in Windows 10, showing that a private key corresponding to this certificate is present.

Top comments (0)