Generating EC keys with certtool

Fabrice Gautier fabrice.gautier at
Thu Nov 10 19:29:35 CET 2011

On Thu, Nov 10, 2011 at 9:12 AM, Nikos Mavrogiannopoulos
<nmav at> wrote:
> On 11/10/2011 06:53 AM, Fabrice Gautier wrote:
>> Hi,
>> When i generate an EC key with certtool,I get this:
> [...]
>> I am pretty sure that this command used to (in 3.0.5) only output the
>> encoded part, not the textual part.
>> This also end up in the file when specifying a file with --outfile
>> The textual part should be output on stderr, if at all. The
>> "Generating a 224 bit ECC private key..." message is indeed output on
> Hello,
>  Printing the key information is deliberate, and also deliberate it is
> sent to stdout. What is the issue that you have with openssl?

I'm generating a key with gnutls, then generating a CSR and cert with openssl.

${GNUTLS_CERTTOOL} -p  --ecc --sec-param high --outfile ClientKey.ecc.pem

${OPENSSL} req -new -nodes -days 365 -subj '/CN=Client Cert (ECC)'
-key ClientKey.ecc.pem -out ClientReq.ecc.pem
${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.pem -CAkey
CAKey.pem -set_serial 1003 -out ClientCert.ecc.pem

The last command returns:"Signature did not match the certificate request"

If I use openssl to try to verify the request I also get an error:
$ ${OPENSSL} req -verify -noout -in ClientReq.ecc.pem
verify failure
140735082790172:error:0D0C5006:asn1 encoding
routines:ASN1_item_verify:EVP lib:a_verify.c:184:

That said, the extra text does not seem to be the cause of this, I
tried to remove it and just use the encoded blob and got the same
result. And it looks like its not new from 3.0.7.

The reason I mix-n-match gnutls/openssl is that gnutls does not parse
EC key generated by openssl properly, as I reported before. It looks
like openssl has some trouble with gnutls EC key somehow, although I'm
kind of baffled at the moment, because I'm pretty sure it used to work
at some point...

More information about the Gnutls-help mailing list