What is Elliptic Curve Cryptography (ECC)?
Elliptic-curve cryptography (ECC) is cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography
One of the main benfits of ECC is a smaller key size which reduces storage and transmission requirements. With this reduced size, you increase the speed in using ECC. ECC can provide the same level of security using a smaller key when compared to an RSA-based key, for example: a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key.
The CSRs (certificate signing requests) are much smaller in size compared to CSRs generated by RSA-based algorithms.
ECC support was added in OpenSSL 0.9.8 however not all servers included ECC in their compiled versions. You will need to check to ensure your version of OpenSSL supports ECC. Below are some simple OpenSSL commands for ECC:
First, you must create the ECC private key:
openssl ecparam -out <path/to/private>.key -name <curve> -genkey
Where:
<path/to/private> is the path and name of your private key file that you wish to create. Example: "C:\temp\mykey.key"
<curve> is the name of the Eliptical Curve you wish to use. Example: -name secp384r1
Note: You can get a list of available curves by running:
openssl ecparam -list_curves
Once the ECC private key has been created, you can then run the following to create your CSR:
openssl req -new -key <path/to/private>.key -out <path/to/csr>.txt
Where:
<path/to/private>.key is the private key you created in the first step. Example: "C:\temp\mykey.key"
<path/to/csr> is the path and name of your CSR file that you wish to create. Example: "C:\temp\mycsr.txt"
At this time, Trust/Link only allows for the following Elliptical Curves with an RSA Signing algorithm: