Generating a Self Signed ECC Certificate and Private Key and Validating the same

Creating my Own Self Signed ECC Certificate

Hey All
This is a continuation for the last post where I mentioned the steps to generate and validate a RSA Certificate and Private Key. Here I wanted to add the steps to create and validate an Certificate and Private key that uses ECC.

• Create a ECC Cert and Private Key.
• Validate an ECC Cert and Private Key Pair

Create a ECC Cert and Private Key

1. Generating a Private Key This command generates an ECC private key using the prime256v1 curve and saves it to a file.

openssl ecparam -name prime256v1 -genkey -noout -out ecc_private_key.pem

openssl → The command-line tool for cryptographic operations.
ecparam → This tells OpenSSL that we are working with Elliptic Curve parameters.
-name prime256v1 → Specifies the elliptic curve to use.
prime256v1 is the same as secp256r1, which is a widely used and secure curve.

You can list available curves using:
openssl ecparam -list_curves

• -genkey → Generates a new private key based on the selected curve.
• -noout → Prevents OpenSSL from printing the EC parameters to the output (keeps output clean).
• -out ecc_private_key.pem → Saves the generated private key to a file named ecc_private_key.pem.

1. Generating a CSR OpenSSL will ask for identity details (like domain name, organization, location). The output file ecc_csr.pem contains:
2. Your public key
3. Your identity information
4. A digital signature using your private key

openssl req -new -key ecc_private_key.pem -out ecc_csr.pem

• req → This tells OpenSSL we are working with a certificate request.
• -new → Creates a new CSR (Certificate Signing Request).
• -key ecc_private_key.pem → Uses the previously generated ECC private key.
• -out ecc_csr.pem → Saves the CSR to a file named ecc_csr.pem.

1. Generate a Self Signed Cert A self-signed certificate is useful for testing but isn't trusted by browsers or CAs. If you're using it for a personal system or internal network, it's fine. Otherwise, you'll need a CA-signed certificate.

openssl req -x509 -key ecc_private_key.pem -days 365 -out ecc_certificate.pem

• req → Again, we're working with a certificate request.
• -x509 → This tells OpenSSL to create a self-signed certificate instead of a CSR.
• -key ecc_private_key.pem → Uses your ECC private key to sign the certificate.
• -days 365 → Specifies the validity period (365 days = 1 year).
• -out ecc_certificate.pem → Saves the self-signed certificate as ecc_certificate.pem.
• Verify the Private Key This command lets you inspect the ECC private key, showing:
• The chosen elliptic curve.
• The private key value (big number).
• The public key (derived from the private key).

openssl ec -in ecc_private_key.pem -noout -text

• ec → This tells OpenSSL that we are working with an Elliptic Curve (EC) private key.
• -in ecc_private_key.pem → Specifies the input file (your private key).
• -noout → Prevents OpenSSL from printing the key in PEM format.
• -text → Prints the private key details in human-readable form.
• Verify the Certificate
• Shows certificate details: issuer, subject, validity, public key, signature.
• Verifies that the certificate was correctly generated.

openssl x509 -in ecc_certificate.pem -noout -text

• x509 → Specifies that we are working with an X.509 certificate.
• -in ecc_certificate.pem → Reads the self-signed certificate.
• -noout → Prevents OpenSSL from outputting the raw certificate in PEM format.
• -text→ Prints detailed certificate information in human-readable format.

Verify the ECC Cert and Private Key Pair

1. Command to extract the Key value pair

openssl pkey -in ecc_private_key.pem -pubout -outform pem | sha256sum
openssl x509 -in ecc_certificate.pem -pubkey -noout -outform pem | sha256sum

• openssl pkey → Works with private keys.
• -in ecc_private_key.pem → Reads the private key file.
• -pubout → Extracts the public key from the private key.
• -outform pem → Outputs the public key in PEM format.
• openssl x509 → Works with X.509 certificates.
• -in ecc_certificate.pem → Reads the certificate file.
• -pubkey → Extracts the public key from the certificate.
• -noout → Prevents the certificate details from being printed.
• -outform pem → Outputs the public key in PEM format.
• sha256sum → Computes a SHA-256 hash of the public keys.
• If the hash values match, it means the private key and certificate belong to the same key pair.
• If the hash values don’t match, then the certificate does not correspond to the private key.