https://addons.mozilla.org/firefox/downloads/latest/3911/addon-3911-latest.xpi?

s rc=cb-btn-users

how to generate ecdsa certificate in linux https://lists.strongswan.org/pipermail/users/2008-December/002976.html Vit Pelcak wrote: > Andreas Steffen napsal(a): >> Vit Pelcak wrote: >> >>> Hi. >>> >>> I'd like to ask you how can I create and export ECDSA certs and keys for >>> this scenario: >>> http://www.strongswan.org/uml/testresults42/openssl/ecdsa-certs/ >>> >> I described the generation of EC keys in the following posting: >> >> https://lists.strongswan.org/pipermail/users/2008-October/002789.html >> >> The "openssl ecparam -genkey" puts a parameter description in front >> of the actual EC key, a construct which strongSwan's private key parser >> is not able to handle. Therfore either delete the parameter description >> manually using an ASCII editor or execute the following "cleansing" command: >> >> openssl ec -in ecKey.pem -out ecKey.pem >> >> >>> I already have CA and RSA certs and keys exported: >>> >>> # find /etc/ipsec.* | grep pem >>> /etc/ipsec.d/private/machine-1.pem >>> /etc/ipsec.d/certs/machine-1.pem >>> /etc/ipsec.d/cacerts/ipsec-test.pem

>>> /etc/ipsec.d/crls/ipsec-crl.pem >>> >>> I can pass test: >>> http://www.strongswan.org/uml/testresults42/openssl/ike-alg-ecp-high/ >>> >>> Do I need whole new CA or just new keys and certs are enough? >>> >>> >> No, you can use your CA's RSA key to sign an ECDSA certificate. >> > > Thank you for your help. I did generate keys for all three types of > elliptic curves. > But I am not sure if I understand you well if it comes to certs. > > If I can sign ECDSA certificate with RSA key for RFC 4869 testing, how > can I generate and export this cert, do I need those ECDSA keys anyway? > Doing an IKEv2 Authentication according to RFC 4754 requires an ECDSA private key for the sender to sign the AUTH payload with and a matching ECDSA public key for the receiver to verify the correctness of the signature in the AUTH payload with. The receiver gets the ECDSA public key from the sender in the form of an ECDSA certificate. In order to have trust into the received ECDSA public key the certificate must be signed by a trusted CA. RFC 4754 does not specify the format of the peer certificate, so in principle it could by signed by the CA using e.g. 2048 or 4096 bit RSA key. But of course from the point of view of cryptographical strength and efficient trust patch verfication it would make sense that the CA would also use an ECDSA key for the certificate signature. As you can see in our ECDSA sample scenario, we are using an ECDSA key in the CA certificate,too: http://www.strongswan.org/uml/testresults42/openssl/ecdsa-certs/moon.listall > Thank you for your time. > > Regards > Vit Pelcak Regards Andreas ====================================================================== Andreas Steffen andreas.steffen at strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==