Generate an ECDSA key and CSR with OpenSSL

Question

I know how to generate an RSA Private Key and CSR:

openssl genrsa -out my.key.pem 2048
openssl req -new -sha256 -key my.key.pem -out my.csr

But, how do I do the same with an ECDSA (Elliptic Curve Digital Signature Algorithm)?

score 27 · Accepted Answer · answered Jul 21 '16 at 11:55

27

For a list of possible curve names, run:

openssl ecparam -list_curves

Then, pick a curve from the list and replace your first line with:

openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem

(replace secp521r1 with whichever curve you choose from the list)

Finally, generate the CSR as you have done:

openssl req -new -sha256 -key my.key.pem -out my.csr

answered Jul 21 '16 at 11:55

garethTheRed

If he/she wants to use it in a TLS server, then they will also need to use a named curve, and *not* domain parameters. That means `ecparam` and `-param_enc named_curve` will need to be used. Also see [Elliptic Curve Cryptography | Named Curves](http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Named_Curves) on the OpenSSL wiki. – jww Aug 10 '16 at 17:58
@jww `-param_enc named_curve` appears to be the default, at least with newer version of OpenSSL. Thus leaving it out should be OK. – Erwan Legrand Feb 10 '17 at 16:46
2

Private keys should be password protected. – phbits Mar 27 '20 at 17:14
1

`openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out my.key.pem` – phbits Mar 27 '20 at 17:14

1 Answers1