Suite B Brower Enrollment Problem

Randy Best
  • Randy Best

    Randy Best - 2014-03-11

    I just upgraded to the most excellent v6.0.4 version.
    I verified all existing CA and DBs still OK.

    I created a Suite B test CA with:

    Signing Algorithm = SHA384withECDSA and Key Type = secp384r1 / P-384

    I create an END ENTITY.
    Using latest IE or Firefox, I can not enroll the certs or create a PKCS#12 file.
    For some reason, the key type always defaults back to RSA, not secp384r1 / P-384 as required.
    I must be missing something here.

    The CA TOKEN Looks like it is setup correctly.

    Alias   Key Algorithm   Key Specification   SubjectKeyID    Action
    defaultKey  ECDSA   secp384r1 / P-384   104a86850685db9cbb92a3163397a7968a4e83a1    Download Public Key
    signKey     ECDSA   secp384r1 / P-384   a984c57604bac0fb5a0929bf96ba474cf3070db4    Download Public Key
    testKey     ECDSA   secp384r1 / P-384   028e907041f5bd2f472bae3dc0a08ae3290eaecf    Download Public Key

    Anyone have any Suite B experience on this?
    Hopefully I am doing something dumb.

    Thanks in advance.

  • Tomas Gustavsson

    Hi Randy,

    Was that you we have been chatting with on Inc with this question?


  • Tomas Gustavsson

    Hmm, IRC, darn auto spelling.

    • Randy Best

      Randy Best - 2014-03-13

      I don't understand "IRC", sorry. I asked about this revert-to-RSA problem when we were running v4.0.15 6 months ago. I was hoping v6.0.4 addressed the problem. My ECC CA appears to be perfect but I am unable to harvest a cert with latest IE or Firefox. I have tried all the Microsoft crypto options in the drop-down box.


  • Tomas Gustavsson

    Ok, I'll copy it here then.

    There is no relation between the CA signing algorithm and the client keys. You can mix and match different algorithms in a certificate chain.

    I don't know even if you can make the browsers generate EC keys. FireFox keygen tag is for sure RSA only. Perhaps you can modify VB script for IE, or use some javascript in FF, but I don't know. If you are an IE fan you can check the VB script in the IE enrollment page and try to modify it.

    Currently, you can generate P12 files using batch enrollment (bin/ batch) setting key type in These keystore work well with ECC t import in browser.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see or contact for more information.

    Last edit: Tomas Gustavsson 2014-03-14
    • Randy Best

      Randy Best - 2014-03-20


      I have successfully generated Suite B certs with NIST P-384. I suggest adding the following ECC Notes to the User Manual in the Creating User Certificates section.

      NOTE: Suite B/ECC Certificates Only

      IE and Firefox do not yet support browser-based ECC certificate enrollment. They always default back to RSA regardless of the CA ECC properties. The only way to harvest ECC certificates is as follows:

      1. Edit batchtool.proprties file in folder conf: keys.alg=ECDSA, keys.spec=P-384 (or whatever named spec you need)
      2. Set all NEW entity passwords first: bin/ ra setclearpwrd entity-user entity-pw
      3. Run bin/ batch - processes all NEW entities and places p12 files in folder p12
      4. Copy p12/*.p12 /usr - must copy out of root privileged folders for ftp or sftp
      5. Use sftp or ftp to copy the *.p12 files from the ejbca server.

Log in to post a comment.