Generating EC keys with certtool

Fabrice Gautier fabrice.gautier at
Thu Nov 10 19:48:29 CET 2011

Ahah, so it happens to work on one of my machines, but not on the other two.

The machine were it works is a mac running Lion, the other two are
macs running SnowLeopard.

I'm recompiling gnutls from source on all of them, openssl is also
recompiled (either from source or through macports) so I'm guessing
that something went wrong while compiling. On some machine, I used the
gmp that came with macport, on others I recompiled myself, so who
knows where the problem lies...

Is there a way to verify a CSR with gnutls's certtool ?

-- Fabrice

On Thu, Nov 10, 2011 at 10:29 AM, Fabrice Gautier
<fabrice.gautier at> wrote:
> On Thu, Nov 10, 2011 at 9:12 AM, Nikos Mavrogiannopoulos
> <nmav at> wrote:
>> On 11/10/2011 06:53 AM, Fabrice Gautier wrote:
>>> Hi,
>>> When i generate an EC key with certtool,I get this:
>> [...]
>>> I am pretty sure that this command used to (in 3.0.5) only output the
>>> encoded part, not the textual part.
>>> This also end up in the file when specifying a file with --outfile
>>> The textual part should be output on stderr, if at all. The
>>> "Generating a 224 bit ECC private key..." message is indeed output on
>> Hello,
>>  Printing the key information is deliberate, and also deliberate it is
>> sent to stdout. What is the issue that you have with openssl?
> I'm generating a key with gnutls, then generating a CSR and cert with openssl.
> ${GNUTLS_CERTTOOL} -p  --ecc --sec-param high --outfile ClientKey.ecc.pem
> ${OPENSSL} req -new -nodes -days 365 -subj '/CN=Client Cert (ECC)'
> -key ClientKey.ecc.pem -out ClientReq.ecc.pem
> ${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.pem -CAkey
> CAKey.pem -set_serial 1003 -out ClientCert.ecc.pem
> The last command returns:"Signature did not match the certificate request"
> If I use openssl to try to verify the request I also get an error:
> $ ${OPENSSL} req -verify -noout -in ClientReq.ecc.pem
> verify failure
> 140735082790172:error:0D0C5006:asn1 encoding
> routines:ASN1_item_verify:EVP lib:a_verify.c:184:
> That said, the extra text does not seem to be the cause of this, I
> tried to remove it and just use the encoded blob and got the same
> result. And it looks like its not new from 3.0.7.
> The reason I mix-n-match gnutls/openssl is that gnutls does not parse
> EC key generated by openssl properly, as I reported before. It looks
> like openssl has some trouble with gnutls EC key somehow, although I'm
> kind of baffled at the moment, because I'm pretty sure it used to work
> at some point...

More information about the Gnutls-help mailing list