• Generate an EC key

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform PEM  -out key.pem

Alternatively, can use openssl ecparam -name secp521r1 -genkey -param_enc explicit -out private-key.pem but not useful for use with the crypto library of other languages. Most libraries expect the named_curve option.

According to golang/go#18634: `` A long time ago it was unclear which elliptic curves would end up being a good idea so formats were designed to support arbitrary curves: i.e. the public key can contain the specification for any curve over prime or binary fields and, in theory, every public key could work on its own, unique curve.

That was bonkers and now software only operates on a few, known-good curves (i.e. P-256, P-384 etc). Thus public keys now just contain an OID identifying the curve.

Your certificate contains the full set of parameters however. It's probably the parameters for a standard curve, but we don't go trying to match arbitrary curves to ones that we know. ``

• Convert from private to public PEM

openssl ec -in key.pem -pubout -out ecpubkey.pem

• Convert from private to public DER

openssl ec -in key.pem -pubout -outform DER -out ecpubkey.der

• Generate a certificate from a key.pem

openssl req -new -x509 -key key.pem -out cert.pem -days 730

• Convert to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

• Verify the certificate using

openssl x509 -in cert.pem -pubkey

• Sign the data using

openssl dgst -sha256 -sign key.pem targets_signed.json > signature.bin

• Verify that the data was correctly signed

openssl dgst -sha256 -verify ecpubkey.pem -signature signature.bin targets_signed.json

• Convert .pem to .p12

openssl pkcs12 -export -nocerts -inkey privatekey.pem -out privatekey.p12