Creating an EC key and a CSR

Up until a few years ago, you would have wanted to use RSA keys on your web servers. They don't have the security weaknesses that certain other key types have, and they're widely supported by pretty much every web browser. But RSA keys do have two weaknesses:

  • Even at the standard 2,048-bit length, they require more computational power than other key types. Increasing the key length for better security would degrade web server performance.
  • RSA doesn't offer Perfect Forward Secrecy (PFS). In other words, if someone were to capture a session key that's produced by the RSA algorithm, they would be able to decrypt material from the past. If the same person were to capture a session key that was produced by a PFS algorithm, they would only be able to decrypt the current communication stream.

Using the new-fangled EC algorithms instead of the creaky old RSA solves both of these problems. But if you pick up a book from even a couple of years ago, you'll see that it recommends using RSA keys for backward compatibility with older web browsers. That's partly because certain operating systems, along with their associated proprietary web browsers, lingered on for far longer than they should have. (I'm looking at you, Windows XP.) Now though, as I sit here writing this in January 2020, I think it's safe to start ignoring the needs of anyone who refuses to move on from these antiquated platforms. I mean, Windows XP reached end-of-life several years ago, and Windows 7 just did a couple of days ago. So, let's get with the times, people.

Unlike what we just saw with the RSA keys, we can't create the EC private key and the CSR all with one simple command. With EC, we need to do this in two separate steps.

First, I'll create the private key as follows:

openssl genpkey -algorithm EC -out eckey.pem -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve

Here's the breakdown:

  • genpkey -algorithm EC: The genpkey command is a fairly recent addition to OpenSSL and is now the recommended way to create private keys. Here, I'm telling it to create a key with the EC algorithm.
  • -out eckey.pem: I'm creating the eckey.pem key, which is in the Privacy Enhanced Mail (PEM) format. The RSA keys that I created in the previous section were also PEM keys, but I used the .key filename extension on them. You can use either the .key or the .pem filename extension, and they'll both work. But if you use the .pem extension, everyone who looks at them can tell at a glance that they are PEM keys.
  • -pkeyopt ec_paramgen_curve:P-384: This tells OpenSSL to create an EC key that's 384 bits in length. A beautiful thing about EC is that its shorter-length keys provide the same encryption strength as the longer RSA keys. In this case, we have a 384-bit key that's actually stronger than a 2,048-bit RSA key. And it requires less computational power. (I call that a total win!)
  • -pkeyopt ec_param_enc:named_curve: This is the encoding method that I'm using for the EC parameters. It has to be set to either named_curve or explicit

Now, I'll create a CSR and sign it with my new private key, like so:

[donnie@localhost ~]$ openssl req -new -key eckey.pem -out eckey.csr
. . .
. . .
[donnie@localhost ~]$

The output that I didn't include is the same as what you saw in the RSA key section.

The final steps are the same as before. Choose a CA and let them tell you how to submit the CSR. When they issue the certificate, install it on your web server.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.193.158