Creating a signed ECC certificate and key

If ECC is selected as the certificate key algorithm in the Certificate Key Algorithm menu, you are prompted to choose the ECC key type (for user or server certificates only) to be set in the new certificate and the EC named curve to be used when generating the ECC key. Supported EC named curves are outlined in Elliptic Curve Cryptography support.

The following example creates an end-entity certificate with an ECDSA key using a 256-bit NIST suggested named curve.

Figure 1. Selecting the ECC Key Type

       Certificate Usage

   1 – CA certificate
   2 – User or server certificate 

Select certificate usage (press ENTER to return to menu): 2 <enter>

       Certificate Key Algorithm

    1 - Certificate with an RSA key
    2 - Certificate with a DSA key 
    3 - Certificate with an ECC key
    4 - Certificate with a Diffie-Hellman key

Select certificate key algorithm (press ENTER to return to menu): 3 <enter> 

       ECC Key Type                                               
                                                                      
   1 – General ECC key                           
   2 – ECDSA Key                           
   3 - ECDH key                           
                                                                      
Select ECC key type (press ENTER to return to menu): 2 <enter>

The selected key type determines the setting of the keyUsage extension in the new certificate. A general ECC key allows Digital Signature, Non-repudiation and Key Agreement. An ECDSA key allows Digital Signature and Non-repudiation. An ECDH key allows Key Agreement only.

If option 1 is selected in the Certificate Usage menu, requesting a CA certificate, the ECC Key Type menu does not appear. The keyUsage extension of the new certificate is set to allow the certificate to be used to sign certificates and certificate revocation lists.

Once the key type has been selected, you are prompted to select the ECC curve type. For a FIPS database, Brainpool standard curves are not supported and, for this reason, the ECC Curve Type menu may not appear.

Figure 2. Selecting the ECC Curve Type

       ECC Curve Type                                              
                                                                      
   1 - NIST recommended curve
   2 - Brainpool standard curve
                                                                      
Select ECC curve type (press ENTER to return to menu): 1 <enter> 

       NIST Recommended Curve Type                                             
                                                                      
   1 - secp192r1
   2 - secp224r1
   3 - secp256r1
   4 - secp384r1
   5 - secp521r1
                                                                      
Select NIST recommended curve (press ENTER to return to menu): 3 <enter> 

Enter label (press ENTER to return to menu): signedECCcert <enter>
Enter subject name for certificate
  Common name (required): My signed ECC Certificate <enter>
  Organizational unit (optional): ID <enter>
  Organization (required): IBM <enter>
  City/Locality (optional): Endicott <enter>
  State/Province (optional): NY <enter>
  Country/Region (2 characters - required): US <enter>
Enter number of days certificate will be valid (default 365): 300 <enter>

Enter 1 to specify subject alternate names or 0 to continue: 0 <enter>

Please wait .....

Certificate created.

Press ENTER to continue.

For a FIPS database, some curves may not be recommended for use and may not appear in the ECC Curve Type menu. After selecting the curve type you are prompted to enter the certificate label, subject name, expiration and (optionally) subject alternate names. See Creating a signed certificate and key for more information.