When I generated the SSL key using ecparam, I got a CSR with a named curve:
$ openssl ecparam -genkey -out ecparam.key -name prime256v1
$ openssl req -new -sha256 -key ecparam.key -out ecparam.csr -subj "/CN=Test"
$ openssl req -text -in ecparam.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Test
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:c0:10:c0:d2:8a:5d:f3:05:84:94:a5:23:1b:59:
35:20:b8:5f:e9:b1:f2:6b:83:15:59:3f:75:93:6b:
b6:a5:ce:16:19:04:9d:18:0d:8d:bb:db:2a:2c:e2:
05:c1:58:46:42:18:19:7a:c5:71:48:ec:54:a2:2d:
4d:6a:e3:14:23
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:93:1a:fe:90:c7:29:07:d2:b4:c7:c3:b2:fe:
dc:6a:bf:62:4b:88:4a:98:3f:30:e7:b0:62:55:62:6c:d9:b3:
bc:02:21:00:a0:3c:2f:1d:c8:28:72:bf:9c:8d:51:87:80:a4:
a0:17:7c:e8:17:60:63:8f:ea:21:ce:53:af:65:ee:80:25:d0
-----BEGIN CERTIFICATE REQUEST-----
MIHKMHECAQAwDzENMAsGA1UEAwwEVGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABMAQwNKKXfMFhJSlIxtZNSC4X+mx8muDFVk/dZNrtqXOFhkEnRgNjbvbKizi
BcFYRkIYGXrFcUjsVKItTWrjFCOgADAKBggqhkjOPQQDAgNJADBGAiEAkxr+kMcp
B9K0x8Oy/txqv2JLiEqYPzDnsGJVYmzZs7wCIQCgPC8dyChyv5yNUYeApKAXfOgX
YGOP6iHOU69l7oAl0A==
-----END CERTIFICATE REQUEST-----
However if I generate the key using genpkey (or req), my CSR now have an explicit curve instead:
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out genpkey.key
$ openssl req -new -sha256 -key genpkey.key -out genpkey.csr -subj "/CN=Test"
$ openssl req -text -in genpkey.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Test
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:86:e1:af:90:3d:76:d9:2f:9d:bc:ca:5a:80:0a:
fc:6f:a7:75:29:26:5b:60:65:fd:3f:74:b4:5b:09:
27:0f:da:45:48:21:46:b4:16:a4:52:0e:c1:97:b4:
71:3a:5b:dc:6d:6e:aa:33:81:7b:cb:bd:78:18:6a:
62:fa:bf:8f:d3
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff
A:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fc
B:
5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
60:4b
Generator (uncompressed):
04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
68:37:bf:51:f5
Order:
00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
63:25:51
Cofactor: 1 (0x1)
Seed:
c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
b7:81:9f:7e:90
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:99:a4:3c:85:cb:f0:b0:f5:10:6e:ff:9a:2b:
9b:81:3a:35:d2:5d:eb:cc:da:26:16:bb:95:ff:bc:b9:3a:06:
dc:02:21:00:ea:71:91:fb:87:de:49:87:be:8e:84:da:0f:3f:
33:bf:e4:48:d6:eb:09:99:81:07:e3:39:f3:83:7c:96:b1:e6
-----BEGIN CERTIFICATE REQUEST-----
MIIBwDCCAWUCAQAwDzENMAsGA1UEAwwEVGVzdDCCAUswggEDBgcqhkjOPQIBMIH3
AgEBMCwGByqGSM49AQECIQD/////AAAAAQAAAAAAAAAAAAAAAP//////////////
/zBbBCD/////AAAAAQAAAAAAAAAAAAAAAP///////////////AQgWsY12Ko6k+ez
671VdpiGvGUdBrDMU7D2O848PifSYEsDFQDEnTYIhucEk2pmeOETnSa3gZ9+kARB
BGsX0fLhLEJH+Lzm5WOkQPJ3A32BLeszoPShOUXYmMKWT+NC4v4af5uO5+tKfA+e
FivOM1drMV7Oy7ZAaDe/UfUCIQD/////AAAAAP//////////vOb6racXnoTzucrC
/GMlUQIBAQNCAASG4a+QPXbZL528ylqACvxvp3UpJltgZf0/dLRbCScP2kVIIUa0
FqRSDsGXtHE6W9xtbqozgXvLvXgYamL6v4/ToAAwCgYIKoZIzj0EAwIDSQAwRgIh
AJmkPIXL8LD1EG7/miubgTo10l3rzNomFruV/7y5OgbcAiEA6nGR+4feSYe+joTa
Dz8zv+RI1usJmYEH4znzg3yWseY=
-----END CERTIFICATE REQUEST-----
- What am I missing here? Why doesn't OpenSSL create a CSR with the named curve when using genpkey/req?
- Is there any reason why I should generate a CSR with named or explicit curve? and why?
