Overview#
SECG |
ANSI X9.62 |
NIST |
---|---|---|
sect163k1 |
NIST K-163 |
|
sect163r1 |
||
sect163r2 |
NIST B-163 |
|
sect193r1 |
||
sect193r2 |
||
sect233k1 |
NIST K-233 |
|
sect233r1 |
NIST B-233 |
|
sect239k1 |
||
sect283k1 |
NIST K-283 |
|
sect283r1 |
NIST B-283 |
|
sect409k1 |
NIST K-409 |
|
sect409r1 |
NIST B-409 |
|
sect571k1 |
NIST K-571 |
|
sect571r1 |
NIST B-571 |
|
secp160k1 |
||
secp160r1 |
||
secp160r2 |
||
secp192k1 |
||
secp192r1 |
prime192v1 |
NIST P-192 |
secp224k1 |
||
secp224r1 |
NIST P-224 |
|
secp256k1 |
||
secp256r1 |
prime256v1 |
NIST P-256 |
secp384r1 |
NIST P-384 |
|
secp521r1 |
NIST P-521 |
Displaying Available Curves#
In OpenSSL:
$ openssl ecparam -list_curves
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
In NSS:
$ certutil -H -G
...
-q curve-name Elliptic curve name (ec only)
One of nistp256, nistp384, nistp521, curve25519.
If a custom token is present, the following curves are also supported:
sect163k1, nistk163, sect163r1, sect163r2,
nistb163, sect193r1, sect193r2, sect233k1, nistk233,
sect233r1, nistb233, sect239k1, sect283k1, nistk283,
sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571,
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
nistp192, secp224k1, secp224r1, nistp224, secp256k1,
secp256r1, secp384r1, secp521r1,
prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1,
c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
c2tnb191v2, c2tnb191v3,
c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
c2pnb272w1, c2pnb304w1,
c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
secp112r2, secp128r1, secp128r2, sect113r1, sect113r2
sect131r1, sect131r2
Generating Self-Signed Certificate#
To generate a certificate with NSS:
$ certutil -S \
-x \
-d /var/lib/tomcats/pki/alias \
-f password.txt \
-z noise.bin \
-n sslserver \
-s "CN=$HOSTNAME" \
-t "CT,C,C" \
-m $RANDOM \
-k ec \
-q secp256r1 \
--keyUsage certSigning,keyEncipherment
To generate a certificate with OpenSSL:
$ openssl ecparam \
-genkey \
-name prime256v1 \
-out sslserver.key
$ openssl req \
-new \
-x509 \
-nodes \
-days 365 \
-subj "/CN=$HOSTNAME" \
-key sslserver.key \
-out sslserver.crt
To generate a certificate with keytool:
$ keytool -genkeypair \
-keystore keystore.p12 \
-storetype pkcs12 \
-storepass Secret.123 \
-alias sslserver \
-keyalg EC \
-keysize 256 \
-dname "CN=$HOSTNAME" \
-keypass Secret.123