zuqqhi2 Tech Memo

Generating ECDSA Self-Signed Certificate

I wrote the article how to generate RSA SSL Self-Signed Certificate and how to apply it to AWS Application Load Balancer last month.

I studied how to ECDSA SSL Self-Signed Certificate same time. So I’ll share it as well.

How to generate Self-Signed Certificate

At first, please generating a private key using the following command.

$ openssl ecparam -name prime256v1 -out server.key -genkey
$ openssl ec -in server.key -text -noout

And then, please generate a public key with the following command. I use AWS Tokyo region, so I set “*.ap-northeast-1.elb.amazonaws.com” as “Common Name”.

$ openssl req -new -key server.key -out server.csr
...
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:       
Organization Name (eg, company) [Default Company Ltd]:zuqqhi2
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.ap-northeast-1.elb.amazonaws.com
Email Address []:
...
A challenge password []:
An optional company name []:
$ openssl req -text -noout -in server.csr

You can create Self-Signed Certificate using the following command with the private/public key.

$ openssl x509 -in server.csr -days 365 -req -signkey server.key -out server.crt
$ openssl x509 -text -noout -in server.crt

Applying Self-Signed Certificate to AWS ALB

Basically it’s same as the article as I shared. But, ACM cannot import ECDSA SSL certificate as of now. So, please import ECDSA SSL certificate with IAM. You can do it on ALB HTTPS listener setting. Note that you should copy server.key without between “BEGIN PARAMETERS” and “END EC PARAMETERS” during importing private key. If you need to support RSA and ECDSA cipher suites, please refer to the following article (sorry, it’s Japanese article. Please use any translation tool).

ども、大瀧です。先日、ALBに複数のSSL/TLS証明書を設定できるようになりました。設定方法は以下のブログを参照ください。 ALBで複数のSSL/TLS証明書を設定できるSNIに対応しました｜ Developers …
AWS ALBでRSA証明書とECDSA証明書の両方に対応する | Developers.IO - クラスメソッド発「やってみた」系技術メディア | Developers.IO

$ openssl s_client -connect elb-ecdsa-test-1-109828406.ap-northeast-1.elb.amazonaws.com:443 -servername elb-ecdsa-test-1-109828406.ap-northeast-1.elb.amazonaws.com -cipher ECDHE-ECDSA-AES128-GCM-SHA256 &amp;lt; /dev/null | grep "Cipher"
 New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
     Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

$ openssl s_client -connect elb-ecdsa-test-1-109828406.ap-northeast-1.elb.amazonaws.com:443 -servername elb-ecdsa-test-1-109828406.ap-northeast-1.elb.amazonaws.com -cipher ECDHE-RSA-AES128-GCM-SHA256 &amp;lt; /dev/null | grep "Cipher"
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
     Cipher    : ECDHE-RSA-AES128-GCM-SHA256

zuqqhi2