PKI works flawlessly everywhere.
Environment
- Deciso 740 OPNsense OpenSSL Business 22.10.2 1abb59250
Repro
- System > Trust > Certificates
- Method: Create an internal certificate
- Certificate authority: (previously created intermediate cert)
- Key type: Elliptic Curve
- Private key location: Download and do not save
- Common name: (anything or appropriate FQDN hostname)
- Save
Expected outcome
- Cert and private key (pk) should be turnkey usable
Actual outcome
Root cause
- Pk is missing EC parameters
Remediation
Prepend one of the following implicit "named" curves to the beginning of the pk
prime256v1 (NIST P-256)
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----secp384r1-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----secp521r1-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----Also worth mentioning https://safecurves.cr.yp.to
Requested long-term solution
Prepend the BEGIN EC PARAMETERS section to the download pk.
If a user doesn't want it, they can remove it.
It's far more difficult to find them (it took me extra time to find these and verify them) than it is to remove them.