Does Brekeke support elliptic curve certificates

deeprock2 · Post by **deeprock2** » Wed May 29, 2019 11:58 pm

1. Brekeke Product Name and Version:
3.9.2
2. Java version:
1.8
3. OS type and the version:
Ubuntu 18.04
4. UA (phone), gateway or other hardware/software involved:
pjpsip
5. Your problem:
Does Brekeke support Elliptic Curve certificates? I am able to generate RSA certificates with OpenSSL and it successfully worked with Brekeke Server. But I couldn't load Elliptic Curve certificates. The only error message I get was :

Code: Select all

Exception:
java.security.spec.InvalidKeySpecException
invalid key format

Harold · Post by **Harold** » Thu May 30, 2019 8:06 pm

A key file format must be RSA format.
Let you convert your key file to RSA formatted file.

For example:
openssl rsa -in current.key -out rsa.key

Also, make sure you upload the key file at [Private Key File] field.
and upload the certificate file at [Certificate File] field.

deeprock2 · Post by **deeprock2** » Thu May 30, 2019 10:54 pm

Because my private key is in elliptic curve private format, your suggestion did not work. Let me explain what I did :

First I created a private key for CA:

Code: Select all

openssl ecparam -out ca.key -name secp521r1 -genkey -rand /dev/urandom

Then CA signed its certificate(self-signed CA certificte)

Code: Select all

openssl req -x509 -new -key ca.key -out ca.pem -outform PEM -days 3650 -sha384

Generate a key for Brekeke SIP server

Code: Select all

openssl ecparam -out sip.key -name secp521r1 -genkey -rand /dev/urandom

Generate sign request for SIP

Code: Select all

openssl req -new -nodes -key sip.key -outform PEM -out sip.req -sha384

Sign the request using CA

Code: Select all

openssl ca -keyfile ca.key -cert ca.pem -in sip.req -out sip.pem -outdir . -days 3650

At this step, I have sip.key and sip.pem for Brekeke SIP server. But Brekeke does not like private key and gives the error message that I mentioned in my first message.(Invalid key format)

Does that mean Brekeke supports only RSA certificates? I want to use ECDSA, not RSA, therefore my key should be EC key.

On the other hand, The output of the "ciphersuitesinfo" command contains my desired ciphersuit which is TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256.

Harold wrote:A key file format must be RSA format.
Let you convert your key file to RSA formatted file.

For example:
openssl rsa -in current.key -out rsa.key

Also, make sure you upload the key file at [Private Key File] field.
and upload the certificate file at [Certificate File] field.

[/b][/quote]

Mike · Post by **Mike** » Fri May 31, 2019 10:30 am

Can you make a PKCS#12 file or JKS from these key and certificate file?

And then select such a file type at [File Type] setting.

Mike · Post by **Mike** » Fri May 31, 2019 11:53 am

For converting sip.key and sip.pem to sip.p12, try the command like this.

Code: Select all

openssl pkcs12 -export -out sip.p12 -inkey sip.key -in sip.pem -certfile ca.pem

Then select "PKCS#12" at [File Type] setting in the SIP Server, and upload sip.p12 file.

If you execute the "certinfo" command at the SIP Server, you can confirm that Key Algorithm is EC.

deeprock2 · Post by **deeprock2** » Sun Jun 09, 2019 10:03 pm

Thank you, that is worked.

Mike wrote:For converting sip.key and sip.pem to sip.p12, try the command like this.
Code: Select all
openssl pkcs12 -export -out sip.p12 -inkey sip.key -in sip.pem -certfile ca.pem
Then select "PKCS#12" at [File Type] setting in the SIP Server, and upload sip.p12 file.

If you execute the "certinfo" command at the SIP Server, you can confirm that Key Algorithm is EC.

Mike · Post by **Mike** » Mon Jun 10, 2019 11:35 am

Glad to know it!