A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as www.verisign.com. Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used. Applications, such as a web browser, will complain when a self-signed certificate is used.
Use apt-get or yum to install OpenSSL.
~]# apt-get install openssl ~]# yum install openssl
ECDSA Parameters and Private Key
Ensure root owns the private directory, and that only root can read and write to the private directory.
~]# chown root:root /etc/pki/tls/private ~]# chmod 600 /etc/pki/tls/private
Create the ECDSA parameters file and private key.
~]# openssl ecparam -genkey -out /etc/pki/tls/private/ec_private.key -name prime256v1
View the content of the dsaparam file and ensure BEGIN EC PARAMETERS and BEGIN EC PRIVATE KEY are displayed.
~]# cat /etc/pki/tls/private/ec_private.key ----------BEGIN EC PARAMETERS----- . . . ----------BEGIN EC PRIVATE KEY-----
Ensure only root can read the private key file.
~]# chmod 400 /etc/pki/tls/private/private.key
A private key doesn't contain user specific data, such as an "alias" or "expiration date", so you wouldn't ever decode out data from a private key.
Create an ECDSA certificate.
~]# openssl req -x509 -new -key /etc/pki/tls/private/ec_private.key -out /etc/pki/tls/certs/ec_certificate.crt
There will be a series of prompts.
|Country Name||US||United States|
|Organization Name||Example, Inc.||Company name|
|Organization Unit Name||Example, Inc.||Company name|
|Common Name||www.example.com||Domain name|
|Email Addressfirstname.lastname@example.org||Admin email|
View the content of the ec_certificate.crt file and ensure BEGIN CERTIFCATE is displayed.
~]# cat /etc/pki/tls/certs/certificate.crt -----BEGIN CERTIFICATE-----