Author |
Message |
deeprock2 Brekeke Newbie
Joined: 29 May 2019 Posts: 3
Location: EARTH
|
Posted: Wed May 29, 2019 11:58 pm Post subject: Does Brekeke support elliptic curve certificates |
|
|
1. Brekeke Product Name and Version:
3.9.2
2. Java version:
1.8
3. OS type and the version:
Ubuntu 18.04
4. UA (phone), gateway or other hardware/software involved:
pjpsip
5. Your problem:
Does Brekeke support Elliptic Curve certificates? I am able to generate RSA certificates with OpenSSL and it successfully worked with Brekeke Server. But I couldn't load Elliptic Curve certificates. The only error message I get was :
Code: |
Exception:
java.security.spec.InvalidKeySpecException
invalid key format |
|
|
Back to top |
|
Harold Brekeke Master Guru
Joined: 21 Sep 2008 Posts: 287
Location: Japan
|
Posted: Thu May 30, 2019 8:06 pm Post subject: |
|
|
A key file format must be RSA format.
Let you convert your key file to RSA formatted file.
For example:
openssl rsa -in current.key -out rsa.key
Also, make sure you upload the key file at [Private Key File] field.
and upload the certificate file at [Certificate File] field. |
|
Back to top |
|
deeprock2 Brekeke Newbie
Joined: 29 May 2019 Posts: 3
Location: EARTH
|
Posted: Thu May 30, 2019 10:54 pm Post subject: |
|
|
Because my private key is in elliptic curve private format, your suggestion did not work. Let me explain what I did :
First I created a private key for CA:
Code: |
openssl ecparam -out ca.key -name secp521r1 -genkey -rand /dev/urandom
|
Then CA signed its certificate(self-signed CA certificte)
Code: |
openssl req -x509 -new -key ca.key -out ca.pem -outform PEM -days 3650 -sha384
|
Generate a key for Brekeke SIP server
Code: |
openssl ecparam -out sip.key -name secp521r1 -genkey -rand /dev/urandom
|
Generate sign request for SIP
Code: |
openssl req -new -nodes -key sip.key -outform PEM -out sip.req -sha384
|
Sign the request using CA
Code: |
openssl ca -keyfile ca.key -cert ca.pem -in sip.req -out sip.pem -outdir . -days 3650
|
At this step, I have sip.key and sip.pem for Brekeke SIP server. But Brekeke does not like private key and gives the error message that I mentioned in my first message.(Invalid key format)
Does that mean Brekeke supports only RSA certificates? I want to use ECDSA, not RSA, therefore my key should be EC key.
On the other hand, The output of the "ciphersuitesinfo" command contains my desired ciphersuit which is TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256.
Harold wrote: |
A key file format must be RSA format.
Let you convert your key file to RSA formatted file.
For example:
openssl rsa -in current.key -out rsa.key
Also, make sure you upload the key file at [Private Key File] field.
and upload the certificate file at [Certificate File] field. |
[/b][/quote] |
|
Back to top |
|
Mike Support Team
Joined: 07 Mar 2005 Posts: 731
Location: Sunny San Mateo
|
Posted: Fri May 31, 2019 10:30 am Post subject: |
|
|
Can you make a PKCS#12 file or JKS from these key and certificate file?
And then select such a file type at [File Type] setting. |
|
Back to top |
|
Mike Support Team
Joined: 07 Mar 2005 Posts: 731
Location: Sunny San Mateo
|
Posted: Fri May 31, 2019 11:53 am Post subject: |
|
|
For converting sip.key and sip.pem to sip.p12, try the command like this.
Code: |
openssl pkcs12 -export -out sip.p12 -inkey sip.key -in sip.pem -certfile ca.pem |
Then select "PKCS#12" at [File Type] setting in the SIP Server, and upload sip.p12 file.
If you execute the "certinfo" command at the SIP Server, you can confirm that Key Algorithm is EC. |
|
Back to top |
|
deeprock2 Brekeke Newbie
Joined: 29 May 2019 Posts: 3
Location: EARTH
|
Posted: Sun Jun 09, 2019 10:03 pm Post subject: |
|
|
Thank you, that is worked.
Mike wrote: |
For converting sip.key and sip.pem to sip.p12, try the command like this.
Code: |
openssl pkcs12 -export -out sip.p12 -inkey sip.key -in sip.pem -certfile ca.pem |
Then select "PKCS#12" at [File Type] setting in the SIP Server, and upload sip.p12 file.
If you execute the "certinfo" command at the SIP Server, you can confirm that Key Algorithm is EC. |
|
|
Back to top |
|
Mike Support Team
Joined: 07 Mar 2005 Posts: 731
Location: Sunny San Mateo
|
Posted: Mon Jun 10, 2019 11:35 am Post subject: |
|
|
Glad to know it! |
|
Back to top |
|
|