I am requesting PKCS#12, not sure who is generating the keys, maybe the browser and that is the problem? How do I configure such that I can harvest the certs into Firefox? Ideally I need PKCS#12 files. I am not understanding the mechanics here, sorry.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Public key = ECC (384 bits)
Public key Parameters = ECDH_P384
Using Firefox and specifying PKCS#12 in the End Entity, the resultant certs always have RSA public keys and not the required ECC (384 bits).
What is the configuration and process to create the client certs with ECC public keys? Am I missing a setting/configuration somewhere to specify ECC vs RSA public keys? I have tried both Create Browser Certificate and Create Keystore options on the public website with always the same default to RSA.
Last edit: Randy Best 2013-10-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So when using the web browser to generate a server side keystore there is currently no options to generate ECC keys. You can use certificate requests (User generated keystore type) or the "ejbca.sh batch" command editing batchtool.properties for ECC keys.
Can EJBCA create a cert with the following?
Signature algorithm = sha384 ECDSA
Signature Hash Algorithm = sha384
Public key = ECC (384 bits)
Public key Parameters = ECDH_P384
I think I have tried all options and the pubic key is always RSA.
Thanks
Yes this is no problem. You are probably generating keys with RSA and certifying those. Server generated keys?
Cheers,
Tomas
I am requesting PKCS#12, not sure who is generating the keys, maybe the browser and that is the problem? How do I configure such that I can harvest the certs into Firefox? Ideally I need PKCS#12 files. I am not understanding the mechanics here, sorry.
I will start over on this quest and provide better information.
EJBCA v 4_0_16
Mission: Create SUite B certs in PKCS#12 formats.
Requirements:
Only one CA to be used (dumb I know), both root and issuing. I have this created and all signature/Key material is correct for ECSDA 384.
Client certs must be as follows.
Signature algorithm = sha384 ECDSA
Signature Hash Algorithm = sha384
Public key = ECC (384 bits)
Public key Parameters = ECDH_P384
Using Firefox and specifying PKCS#12 in the End Entity, the resultant certs always have RSA public keys and not the required ECC (384 bits).
What is the configuration and process to create the client certs with ECC public keys? Am I missing a setting/configuration somewhere to specify ECC vs RSA public keys? I have tried both Create Browser Certificate and Create Keystore options on the public website with always the same default to RSA.
Last edit: Randy Best 2013-10-08
Hi Randym,
So when using the web browser to generate a server side keystore there is currently no options to generate ECC keys. You can use certificate requests (User generated keystore type) or the "ejbca.sh batch" command editing batchtool.properties for ECC keys.
Relating to browsers however, there is this issue fixed, not available in 4.0.16.
https://jira.primekey.se/browse/ECA-3131
Cheers,
Tomas
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/