I'm trying to generate ECDSA keypair from Ejbca admin web. One strange issue I got is:
When I generate keypair to PKCS#11 crypto token: Despite I forced to choose key specification to prime256v1 / secp256r1 / P-256, Ejbca still generate key pair with specification is P-256 / prime256v1 / secp256r1. Then when I create CA from this keypair, I always get unnamed curve public key
When I generate keypair to SOFT crypto token: Despite I forced to choose key specification to P-256 / prime256v1 / secp256r1, Ejbca still generate key pair with specification is prime256v1 / secp256r1 / P-256. Then when I create CA from this keypair, I always get named curve public key
Can anyone help me to explain about this different.
Is there any ejbca configuration to prevent this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
P-256, secp256r1 and prime256v1 are simple the same thing, just different names for the same curve.
When you create a PKSC11 crypto token do NOT check the checkbox "Use explicit ECC parameters" (unless you are really issuing ICAO 9303 CSCA or DS certificates).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you very much, you're correct. Just wondering, DS certificate mean Document Signing certificate. Am I right?
If yes, then it sounds normal to check to this check-box
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
DS means document signer yes. ICAO 9303 violates RFC5280 by requiring that explicit parameters are used instead of named curves for ECDSA keys in certificates. For all normal use cases named curves should be used.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi there,
I'm trying to generate ECDSA keypair from Ejbca admin web. One strange issue I got is:
When I generate keypair to
PKCS#11crypto token: Despite I forced to choose key specification to prime256v1 / secp256r1 / P-256, Ejbca still generate key pair with specification is P-256 / prime256v1 / secp256r1. Then when I create CA from this keypair, I always getunnamed curvepublic keyWhen I generate keypair to
SOFTcrypto token: Despite I forced to choose key specification to P-256 / prime256v1 / secp256r1, Ejbca still generate key pair with specification is prime256v1 / secp256r1 / P-256. Then when I create CA from this keypair, I always getnamed curvepublic keyCan anyone help me to explain about this different.
Is there any ejbca configuration to prevent this?
P-256, secp256r1 and prime256v1 are simple the same thing, just different names for the same curve.
When you create a PKSC11 crypto token do NOT check the checkbox "Use explicit ECC parameters" (unless you are really issuing ICAO 9303 CSCA or DS certificates).
Hi Tomas,
Thank you very much, you're correct. Just wondering, DS certificate mean Document Signing certificate. Am I right?
If yes, then it sounds normal to check to this check-box
DS means document signer yes. ICAO 9303 violates RFC5280 by requiring that explicit parameters are used instead of named curves for ECDSA keys in certificates. For all normal use cases named curves should be used.