I just upgraded to the most excellent v6.0.4 version.
I verified all existing CA and DBs still OK.
I created a Suite B test CA with:
Signing Algorithm = SHA384withECDSA and Key Type = secp384r1 / P-384
I create an END ENTITY.
Using latest IE or Firefox, I can not enroll the certs or create a PKCS#12 file.
For some reason, the key type always defaults back to RSA, not secp384r1 / P-384 as required.
I must be missing something here.
The CA TOKEN Looks like it is setup correctly.
Alias Key Algorithm Key Specification SubjectKeyID Action
defaultKey ECDSA secp384r1 / P-384 104a86850685db9cbb92a3163397a7968a4e83a1 Download Public Key
signKey ECDSA secp384r1 / P-384 a984c57604bac0fb5a0929bf96ba474cf3070db4 Download Public Key
testKey ECDSA secp384r1 / P-384 028e907041f5bd2f472bae3dc0a08ae3290eaecf Download Public Key
Anyone have any Suite B experience on this?
Hopefully I am doing something dumb.
Thanks in advance.
Was that you we have been chatting with on Inc with this question?
Hmm, IRC, darn auto spelling.
I don't understand "IRC", sorry. I asked about this revert-to-RSA problem when we were running v4.0.15 6 months ago. I was hoping v6.0.4 addressed the problem. My ECC CA appears to be perfect but I am unable to harvest a cert with latest IE or Firefox. I have tried all the Microsoft crypto options in the drop-down box.
Ok, I'll copy it here then.
There is no relation between the CA signing algorithm and the client keys. You can mix and match different algorithms in a certificate chain.
Currently, you can generate P12 files using batch enrollment (bin/ejbca.sh batch) setting key type in batchtool.properties. These keystore work well with ECC t import in browser.
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact firstname.lastname@example.org for more information.
I have successfully generated Suite B certs with NIST P-384. I suggest adding the following ECC Notes to the User Manual in the Creating User Certificates section.
NOTE: Suite B/ECC Certificates Only
IE and Firefox do not yet support browser-based ECC certificate enrollment. They always default back to RSA regardless of the CA ECC properties. The only way to harvest ECC certificates is as follows:
Done, thanks for the suggestion.
Log in to post a comment.