version OpenSSL 1.0.2g
- Generate an EC key in the named curve form, which unfortunately isn't the default form in all versions of OpenSSL.
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform PEM -out key.pem
Alternatively, can use
openssl ecparam -name secp521r1 -genkey -param_enc explicit -out private-key.pem but not useful for use with the crypto library of other languages. Most libraries expect the named_curve option.
According to golang/go#18634:
A long time ago it was unclear which elliptic curves would end up being a good idea so formats were designed to support arbitrary curves: i.e. the public key can contain the specification for any curve over prime or binary fields and, in theory, every public key could work on its own, unique curve.
That was bonkers and now software only operates on a few, known-good curves (i.e. P-256, P-384 etc). Thus public keys now just contain an OID identifying the curve.
Your certificate contains the full set of parameters however. It's probably the parameters for a standard curve, but we don't go trying to match arbitrary curves to ones that we know.
This has example of cert with and w/o named_curves: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Named_Curves
- Convert from private to public PEM
openssl ec -in key.pem -pubout -out ecpubkey.pem
- Convert from private to public DER
openssl ec -in key.pem -pubout -outform DER -out ecpubkey.der
- Generate a certificate from a key.pem
openssl req -new -x509 -key key.pem -out cert.pem -days 730
- Convert to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
- Verify the certificate using
openssl x509 -in cert.pem -pubkey
- Sign the data using
openssl dgst -sha256 -sign key.pem targets_signed.json > signature.bin
- Verify that the data was correctly signed
openssl dgst -sha256 -verify ecpubkey.pem -signature signature.bin targets_signed.json
- Convert .pem to .p12
openssl pkcs12 -export -nocerts -inkey privatekey.pem -out privatekey.p12