Generate an ECDSA key and CSR with OpenSSL

Question

I know how to generate an RSA Private Key and CSR:

openssl genrsa -out my.key.pem 2048
openssl req -new -sha256 -key my.key.pem -out my.csr

But, how do I do the same with an ECDSA (Elliptic Curve Digital Signature Algorithm)?

score 31 · Accepted Answer · answered Jul 21 '16 at 11:55

For a list of possible curve names, run:

openssl ecparam -list_curves

Then, pick a curve from the list and replace your first line with:

openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem

(replace secp521r1 with whichever curve you choose from the list)

Finally, generate the CSR as you have done:

openssl req -new -sha256 -key my.key.pem -out my.csr

Nick Tsai · Answer 2 · 2023-12-07T05:12:13.137

1

Based on the accepted answer, I'd like to use genpkey command for more general usage:

openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp521r1 -out my.key.pem

-algorithm, -pkeyopt can be referred to openssl man and KEY GENERATION OPTIONS

Then:

openssl req -new -sha256 -key my.key.pem -out my.csr

edited Dec 07 '23 at 05:12

answered Dec 04 '23 at 08:31

Nick Tsai

139

score 0 · Answer 3 · answered Sep 18 '24 at 18:35

In addition to existing answers here are some single liners

Create a Certificate metadata configuration file

cat > ecdsa-certificate-metadata.cnf<<EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C   = US
ST  = CA
L   = Mountain View
O   = Example Corp, Inc.
CN  = *.example.com
EOF

Create CSR non-interactive - different commands

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
or
openssl ecparam -name secp521r1 -genkey -noout -out ecdsa-domain-private.key
openssl req -new -sha256 -key ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
or
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:P-256 -nodes -keyout ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf
or
openssl ecparam -genkey -name prime256v1 | openssl ec -out ecdsa-domain-private.key
openssl req -new -sha256 -key ecdsa-domain-private.key -out ecdsa-certificate-signing-request-for-certificate-authority.csr -config ecdsa-certificate-metadata.cnf

Generate an ECDSA key and CSR with OpenSSL

3 Answers3

or

or

or