A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as www.verisign.com. Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used. Applications, such as a web browser, will complain when a self-signed certificate is used.
Use apt-get or yum to install OpenSSL.
~]# apt-get install openssl
~]# yum install openssl
ECDSA Parameters and Private Key
Ensure root owns the private directory, and that only root can read and write to the private directory.
~]# chown root:root /etc/pki/tls/private
~]# chmod 600 /etc/pki/tls/private
Create the ECDSA parameters file and private key.
~]# openssl ecparam -genkey -out /etc/pki/tls/private/ec_private.key -name prime256v1
View the content of the dsaparam file and ensure BEGIN EC PARAMETERS and BEGIN EC PRIVATE KEY are displayed.
~]# cat /etc/pki/tls/private/ec_private.key
----------BEGIN EC PARAMETERS-----
. . .
----------BEGIN EC PRIVATE KEY-----
Ensure only root can read the private key file.
~]# chmod 400 /etc/pki/tls/private/private.key
A private key doesn't contain user specific data, such as an "alias" or "expiration date", so you wouldn't ever decode out data from a private key.
Certificate
Create an ECDSA certificate.
~]# openssl req -x509 -new -key /etc/pki/tls/private/ec_private.key -out /etc/pki/tls/certs/ec_certificate.crt
There will be a series of prompts.
| Area | Example | Description |
|---|---|---|
| Password | myPassword | Password |
| Country Name | US | United States |
| State/Province | FL | Florida |
| Locality Name | Miami | City |
| Organization Name | Example, Inc. | Company name |
| Organization Unit Name | Example, Inc. | Company name |
| Common Name | www.example.com | Domain name |
| Email Address | admin@example.com | Admin email |
View the content of the ec_certificate.crt file and ensure BEGIN CERTIFCATE is displayed.
~]# cat /etc/pki/tls/certs/certificate.crt
-----BEGIN CERTIFICATE-----