Suite B Cert Question

Help
Randy Best
2013-10-07
2013-10-09
  • Randy Best

    Randy Best - 2013-10-07

    Can EJBCA create a cert with the following?

    Signature algorithm = sha384 ECDSA
    Signature Hash Algorithm = sha384

    Public key = ECC (384 bits)
    Public key Parameters = ECDH_P384

    I think I have tried all options and the pubic key is always RSA.

    Thanks

     
  • Tomas Gustavsson

    Yes this is no problem. You are probably generating keys with RSA and certifying those. Server generated keys?

    Cheers,
    Tomas

     
    • Randy Best

      Randy Best - 2013-10-07

      I am requesting PKCS#12, not sure who is generating the keys, maybe the browser and that is the problem? How do I configure such that I can harvest the certs into Firefox? Ideally I need PKCS#12 files. I am not understanding the mechanics here, sorry.

       
  • Randy Best

    Randy Best - 2013-10-07

    I will start over on this quest and provide better information.

    EJBCA v 4_0_16

    Mission: Create SUite B certs in PKCS#12 formats.

    Requirements:

    Only one CA to be used (dumb I know), both root and issuing. I have this created and all signature/Key material is correct for ECSDA 384.

    Client certs must be as follows.

    Signature algorithm = sha384 ECDSA
    Signature Hash Algorithm = sha384

    Public key = ECC (384 bits)
    Public key Parameters = ECDH_P384

    Using Firefox and specifying PKCS#12 in the End Entity, the resultant certs always have RSA public keys and not the required ECC (384 bits).

    What is the configuration and process to create the client certs with ECC public keys? Am I missing a setting/configuration somewhere to specify ECC vs RSA public keys? I have tried both Create Browser Certificate and Create Keystore options on the public website with always the same default to RSA.

     
    Last edit: Randy Best 2013-10-08
  • Tomas Gustavsson

    Hi Randym,

    So when using the web browser to generate a server side keystore there is currently no options to generate ECC keys. You can use certificate requests (User generated keystore type) or the "ejbca.sh batch" command editing batchtool.properties for ECC keys.

    Relating to browsers however, there is this issue fixed, not available in 4.0.16.
    https://jira.primekey.se/browse/ECA-3131

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     

Log in to post a comment.