I've previously written about creating SSL certificates. Times have changed, and ECC is the way of the future. Today I'm going to revisit that post with creating ECDSA SSL certificates as well as how to get your certificate signed by Let's Encrypt.

Generating an ECDSA Key

Since this information doesn't seem to be readily available many places, I'm putting it here. This is the fast track to getting an ECDSA SSL certificate.

openssl ecparam -out private.key -name prime256v1 -genkey

Generating the Certficate Signing Request

Generating the csr is generally done interactively.

openssl req -new -sha256 -key private.key -out server.csr

Fill out the requested information. Use your two letter country code. Use the full name of your state. Locality means city. Organization Name and Organizational Unit Name seem rather self explanatory (they can be the same). Common name is the fully qualified domain name of the server or virtual server you are creating a certificate for. The rest you can leave blank.

Non-interactive CSR generation

You can avoid interactive csr creation by supplying the subject information. This will work fine as long as you're not using subjectAltNames.

openssl req -new -sha256 -key private.key -out domain.com.csr \
    -subj "/C=US/ST=California/L=San Diego/O=Digital Elf/CN=digitalelf.net"

Non-interactive CSR generation with subjetAltName

Unfortunately certificates with subjectAltName, currently must be done with a config file. This is disappointing on many levels. You'll need the following minimum config.

distinguished_name = req_distinguished_name
req_extensions = v3_req


basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 = digitalelf.net
DNS.2 = www.digitalelf.net

And then create the csr:

openssl req -new -sha256 -key private.key -out domain.com.csr \
    -subj "/C=US/ST=California/  L=San Diego/O=Digital Elf/CN=digitalelf.net" \
    -config csr.cnf

Signing your certificate

At this point if you want your cert signed by a real Certificate Authority. I suggest Let's Encrypt because you can get certificates for free.

The official client for Let's Encrypt is certbot. I've never used it.

My preferred client is dehydrated because it doesn't need anything more than the base system, and works on SmartOS, FreeBSD, macOS (Darwin), and Linux. See the documentation on usage.

I've also created make-cert which wraps dehydrated, pre-configures most options, but requires node.js if you don't already have a configured web server. I use this simply because it makes dehydrated easier to deploy.

Using a traditional Certificate Authority

If that doesn't work for you because you can't run the letsencrypt client on your web server, StartSSL is also free. If you don't want a free one, you should have no trouble finding one on your own. Whichever you pick, give them your server.csr file. They'll give you back a certificate.

Self-Signed Certificate

If you want a self signed certificate instead, run this:

openssl x509 -req -sha256 -days 365 -in server.csr -signkey private.key -out public.crt

You can also create a self-signed certificate with a single step.

openssl req -new -days 365 -nodes -x509 \
    -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout www.example.com.key \
    -out www.example.com.cert