Elliptic-curve cryptography (ECC) is cryptography based on the algebraic
structure of elliptic curves over finite fields. ECC requires smaller
keys compared to non-ECC cryptography
Why should I consider ECC?
One of the main benfits of ECC is a smaller key size which reduces
storage and transmission requirements. With this reduced size, you
increase the speed in using ECC. ECC can provide the same level of
security using a smaller key when compared to an RSA-based key, for
example: a 256-bit elliptic curve public key should provide comparable
security to a 3072-bit RSA public key.
The CSRs (certificate signing requests) are much smaller in size compared to CSRs generated by RSA-based algorithms.
How can I generate an ECC private key and CSR?
ECC support was added in OpenSSL 0.9.8 however not all servers
included ECC in their compiled versions. You will need to check to
ensure your version of OpenSSL supports ECC. Below are some simple
OpenSSL commands for ECC:
First, you must create the ECC private key:
openssl ecparam -out <path/to/private>.key -name <curve> -genkey
<path/to/private> is the path and name of your private key file that you wish to create. Example: "C:\temp\mykey.key"
<curve> is the name of the Eliptical Curve you wish to use. Example: -name secp384r1
Note: You can get a list of available curves by running:
openssl ecparam -list_curves
Once the ECC private key has been created, you can then run the following to create your CSR:
openssl req -new -key <path/to/private>.key -out <path/to/csr>.txt
<path/to/private>.key is the private key you created in the first step. Example: "C:\temp\mykey.key"
<path/to/csr> is the path and name of your CSR file that you wish to create. Example: "C:\temp\mycsr.txt"
Which ECC curves does QuoVadis support?
At this time, Trust/Link only allows for the following Elliptical Curves with an RSA Signing algorithm: