Home / Articles

ECDSA certificate


ECDSA certificates should be chosen for new deployments, instead of RSA certificates. See a blog post written by Nick Sullivan, ECDSA: The digital signature algorithm of a better internet, for more information.

Generate private key


openssl ecparam -name secp384r1 -genkey -noout -out server.key

# Limit the access to the private key.
chmod 600 server.key

Self-signed certificates

For development and testing purposes, self-signed certificate may be sufficient. Run:

openssl req -new -x509 -key server.key -out server.crt -days 365

Generate certificate signing request (CSR)

Self-signed certificates are not trusted by the browsers. Generate a certificate signing request and submit it to a recognized certificate authority (CA) for signing. Run:

openssl req -new -sha256 -key server.key -out server.csr