I am new to the encryption world, and reading about this, most websites say to use the prime256v1 for better performance and security.
After some days testing, finally I get my openssl CA structure working, almost steps come from this guide:
I did some changes, like search for OIDs (just adding same OIDs from permissions, example in CAs I have added 2.5.29.19, etc...)
Already have setup my CRL distribution points too, everything is working (at least seems to be working) nice.
The problem occurs if I change the final certificate structure from the guide, so for example, instead make a TLS Server Certificate using the following 3 steps from guide:
Generate PK
/usr/local/bin/openssl genpkey \
-aes-256-cbc \
-algorithm RSA \
-pkeyopt 'rsa_keygen_bits:4096' \
-out private/srv.example.org.key.enc \
-pass file:private/srv.example.org.pwd
Generate Certificate Request
setenv SAN "DNS:srv.example.org"
/usr/local/bin/openssl req \
-config etc/tls-server.conf \
-new \
-sha512 \
-out certs/srv.example.org.csr \
-key private/srv.example.org.key.enc \
-subj /C=DE/ST=State/L=Locality/O=Example\ Corporation/OU=System\ Administration/CN=srv.example.org \
-passin file:private/srv.example.org.pwd
unsetenv SAN
Sign the certificate
/usr/local/bin/openssl ca \
-config etc/component-ca.conf \
-batch \
-md sha512 \
-in certs/srv.example.org.csr \
-out certs/srv.example.org.crt \
-extensions server_ext \
-startdate `date -j -u '+%Y%m01000000Z'` \
-enddate `date -j -u -v+2y '+%Y%m01000000Z'` \
-passin file:ca/component-ca/private/component-ca.pwd
For test an prime256v1, I have done:
Generate PK (testing prime256v1)
/usr/local/bin/openssl genpkey \
ecparam \
-name prime256v1 \
-genkey \
-param_enc explicit \
-out private/srv.example.org.key \
Generate Certificate Request (testing prime256v1)
setenv SAN "DNS:srv.example.org"
/usr/local/bin/openssl req \
-new \
-sha512 \
-config etc/tls-server.conf \
-key private/srv.example.org.key.enc \
-nodes \
-out certs/srv.example.org.csr \
-subj /C=DE/ST=State/L=Locality/O=Example\ Corporation/OU=System\ Administration/CN=srv.example.org \
unsetenv SAN
Sign the certificate (testing prime256v1)
/usr/local/bin/openssl ca \
-config etc/component-ca.conf \
-batch \
-md sha512 \
-in certs/srv.example.org.csr \
-out certs/srv.example.org.crt \
-extensions server_ext \
-startdate `date -j -u '+%Y%m01000000Z'` \
-enddate `date -j -u -v+2y '+%Y%m01000000Z'` \
-passin file:ca/component-ca/private/component-ca.pwd
The certificate is signed without errors...
When I try to access my domain browsers block the access saying the error:
No Cypher Overlap
My first guess is because the mix of encryption, then I have changed entire commands from the guide to make Root-CA, Network-CA, Component-CA all using secp521r1, since it seems to be a good security practice use highest encryption on top and low encryption (prime256v1) on bottom for make compatibility...
And then, same error occurs:
No Cypher Overlap
So if I wish to use prime256v1 I need to make all structure with only it? If tomorrow this process becomes weak, I need to remake the entire CA with new security encryption (eg, secp384r1)?
On Server side I have used the Mozilla SSL Configuration Generator to setup:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSL
CipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
PS.: I have no plans to purchase an online SSL Validated Certificate, but I will love to have a working CA testing structure working for study.