SSL ECC CSR Certificate issuance ECC Certificate
Many people ask why my https certificate is ECC, and quickly teach him how to configure it. So this article is about how to use ECC algorithm to issue certificate request file (CSR)
In fact, most SSL certificates are generated by the RSA algorithm, which requires at least 2048 bits of keys to ensure security. The super long keys drag down the small VPS with low performance. However, there is another gradually developed SSL certificate encryption algorithm that can well solve this problem, that is, ECC (elliptic curve) algorithm. This algorithm can provide faster but equivalent security performance than other algorithms (such as RSA DSA)
What are the advantages of ECC?
- The encryption strength of 256 bit ECC key is equal to the level of 3072 bit RSA key (currently, the length of commonly used RSA key is 2048 bits)
- Tested by relevant foreign authorities, ECC algorithm is adopted in Apache and IIS servers, and the response time of Web server is ten times faster than RSA
All right, we are done. The above statements are all found by Google. I have sorted them out so that you can better read the above description and simply understand ECC.
At present, there are few SSL vendors that support the ECC algorithm. Among them, COMODO has a price that is affordable. Their "Comodo Positive SSL" also supports ECC. The effect is shown in the figure below. At present, this website linpx.com is also using this.
How to obtain ECC certificate?
You must use the ECC algorithm to issue a certificate request file (CSR) before you can apply for an ECC certificate.
Generate certificate private key and request file
Here we choose to use secp384r1
This can shorten the key length and ensure sufficient security.
Key and CSR code generated by one key:
openssl ecparam -out www.linpx.com.pkey -name secp384r1 -genkey && openssl req -new -key www.linpx.com.pkey -nodes -out www.linpx.com.csr -subj "/C=CN/ST=Shanghai/L=Shanghai/O=Linpx Inc/OU=IT Dept/CN=www.linpx.com"
Among them, www.linpx.com.pkey
, www.linpx.com.csr
Change it to your own. Remember, there are two places for pkey
Among them, /C=CN/ST=Shanghai/L=Shanghai/O=Linpx Inc/OU=IT Dept/CN=www.linpx.com"
Change to your own domain name, especially the last one. This paragraph is understood as the country, province, local city, company, department and domain name.
Then use vi/vim/nano or other toolkits to view the CSR file, which is roughly as follows:
-----BEGIN CERTIFICATE REQUEST----- MIIBbzCB9QIBADB2MQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxETAP BgNVBAcMCFNoYW5naGFpMRIwEAYDVQQKDAlMaW5weCBJbmMxFTATBgNVBAsMDE5l dHdvcmsgRGVwdDEWMB********************************************** **************************************************************** **************************************************************** **************************************************************** **************************************************************** -----END CERTIFICATE REQUEST-----
Copy the above content, and then go to the SSL provider of the supported ECC algorithm certificate for signing.
This article is written by Chakhsu Lau Creation, adoption Knowledge Sharing Attribution 4.0 International License Agreement.
All articles on this website are original or translated by this website, except for the reprint/source. Please sign your name before reprinting.