[Problem solved, feature request] EC private key should include curve params

[b.a.]

PKI works flawlessly everywhere.

Environment

• Deciso 740 OPNsense OpenSSL Business 22.10.2 1abb59250
  

Repro

• System > Trust > Certificates
• Method: Create an internal certificate
• Certificate authority: (previously created intermediate cert)
• Key type: Elliptic Curve
• Private key location: Download and do not save
• Common name: (anything or appropriate FQDN hostname)
• Save

Expected outcome

• Cert and private key (pk) should be turnkey usable
  

Actual outcome

• Target system refuses pk
  

Root cause

• Pk is missing EC parameters

Remediation


Prepend one of the following implicit "named" curves to the beginning of the pk

prime256v1 (NIST P-256)

Code Select Expand

-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----


secp384r1

Code Select Expand

-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----


secp521r1

Code Select Expand

-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----

Also worth mentioning https://safecurves.cr.yp.to


Requested long-term solution


Prepend the BEGIN EC PARAMETERS section to the download pk.

If a user doesn't want it, they can remove it.

It's far more difficult to find them (it took me extra time to find these and verify them) than it is to remove them.