I've previously written about creating SSL certificates. Times have changed, and ECC is the way of the future. Today I'm going to revisit that post with creating ECDSA SSL certificates as well as how to get your certificate signed by Let's Encrypt.
Generating an ECDSA Key
Since this information doesn't seem to be readily available many places, I'm putting it here. This is the fast track to getting an ECDSA SSL certificate.
openssl ecparam -out private.key -name prime256v1 -genkey
Generating the Certficate Signing Request
Generating the csr is generally done interactively.
openssl req -new -sha256 -key private.key -out server.csr
Fill out the requested information. Use your two letter country code. Use the full name of your state. Locality means city. Organization Name and Organizational Unit Name seem rather self explanatory (they can be the same). Common name is the fully qualified domain name of the server or virtual server you are creating a certificate for. The rest you can leave blank.
Non-interactive CSR generation
You can avoid interactive csr creation by supplying the subject information. This will work fine as long as you're not using
openssl req -new -sha256 -key private.key -out domain.com.csr \ -subj "/C=US/ST=California/L=San Diego/O=Digital Elf/CN=digitalelf.net"
Non-interactive CSR generation with
Unfortunately certificates with
subjectAltName, currently must be done with a config file. This is disappointing on many levels. You'll need the following minimum config.
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = digitalelf.net DNS.2 = www.digitalelf.net
And then create the csr:
openssl req -new -sha256 -key private.key -out domain.com.csr \ -subj "/C=US/ST=California/ L=San Diego/O=Digital Elf/CN=digitalelf.net" \ -config csr.cnf
Signing your certificate
At this point if you want your cert signed by a real Certificate Authority. I suggest Let's Encrypt because you can get certificates for free.
Using Let's Encrypt with custom keys
Here's how to quickly set up a letsencrypt virtualenv.
pip install virtualenv virtualenv letsencrypt cd letsencrypt; source bin/activate pip install letsencrypt
Lets Encrypt requires using subjectAltName in your CSR, so make sure you've generated one. Then to
letsencrypt -n certonly --agree-tos \ --email 'firstname.lastname@example.org' \ --csr /opt/local/etc/certs/server.csr \ --cert-path /opt/local/etc/certs/cert.pem \ --fullchain-path /opt/local/etc/cert/fullchain.pem \ --webroot -w /opt/www/digitalelf.net \ -d digitalelf.net -d www.digitalelf.net
Using a traditional Certificate Authority
If that doesn't work for you because you can't run the
letsencrypt client on your web server, StartSSL is also free. If you don't want a free one, you should have no trouble finding one on your own. Whichever you pick, give them your server.csr file. They'll give you back a certificate.
If you want a self signed certificate instead, run this:
openssl x509 -req -sha256 -days 365 -in server.csr -signkey private.key -out public.crt
You can also create a self-signed certificate with a single step.
openssl req -new -days 365 -nodes -x509 \ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ -keyout www.example.com.key \ -out www.example.com.cert