THE INFORMATION IN THIS ARTICLE APPLIES TO:
QUESTION
Does EFT support Elliptic Curve DSA (ECDSA) for certificate Authentication?
ANSWER
Yes; however, you must use external tools to create an ECC certificate, as EFT’s built in certificate generator only supports generation of certs that support RSA authentication. Note: The authentication mode is distinct from the key-exchange mode, encryption cipher, or message authentication code.
To create an ECDSA compatible certificate:
- Download and install OplenSSL on a Linux system or use a Windows-compatible version such as the one available from: https://slproweb.com/products/Win32OpenSSL.html.
- Run the OpenSSL binary to open a command prompt or add OpenSSL to your PATH and type OpenSSL to launch it.
- Generate a self-signed ECC certificate pair by running each of these commands in turn. Precede each line with OpenSSL unless you are running from within the OpenSSL app. The first command will generate a private key. The second command will generate a certificate, prompting you for cert details. The last command will encrypt the private key created earlier, prompting you to enter a passphrase.
- ecparam -name secp384r1 -param_enc named_curve -genkey -out private.pem
- req -new -x509 -key private.pem -out public.pem -days 730
- ec -in private.pem -out encprivate.pem -aes256
Note that the EC curve name (secp384r1) may not be supported by all browsers. You can find other options in RFC 5480 or similar.
- Copy public.pem and encprivate.pem to a folder on your EFT server then browse to the public and private key from Site > Connections tab > SSL certificate settings > Configure. Make sure you specify the passphrase you entered earlier.
- Back in EFT’s Server > Security tab, you can now select cipher strings that support ECDSA as the Authentication mode. e.g. ECDHE-ECDSA-AES256-GCM-SHA384
Note that if you do not generate an ECDSA certificate, you can still list ciphers that support it in EFT’s SSL cipher settings. The client/server SSL handshake will negotiate for ciphers that both support, and will require that you have at least one RSA (or non-Auth) Auth cipher in the list, for a successful handshake to be established. If the client only supports ECDSA auth, then the handshake will fail, even though you’ve listed ECDSA compatible ciphers, unless you have specified an ECC certificate in EFT’s connection settings, as documented above.