Creating Elliptic Curve Keys using OpenSSL

Scott Brady
Scott Brady
OpenSSL ・ Updated January 2021

Recently, I have been using OpenSSL to generate private keys and X509 certificates for Elliptic Curve Cryptography (ECC) and then using them in ASP.NET Core for token signing.

In this article, I’m going to show you how to use OpenSSL to generate private and public keys on the curve of your choice. Check out my other article for how to do the same for RSA keys.

tl;dr - OpenSSL ECDSA Cheat Sheet

# find your curve
openssl ecparam -list_curves

# generate a private key for a curve
openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem

# generate corresponding public key
openssl ec -in private-key.pem -pubout -out public-key.pem

# optional: create a self-signed certificate
openssl req -new -x509 -key private-key.pem -out cert.pem -days 360

# optional: convert pem to pfx
openssl pkcs12 -export -inkey private-key.pem -in cert.pem -out cert.pfx

Generating an Elliptic Curve Private Key Using OpenSSL

To start, you will need to choose the curve you will be working with. You can use the following command to see a list of supported curve names and descriptions.

openssl ecparam -list_curves

In this example, I am using prime256v1 (secp256r1), which is suitable for JWT signing; this is the curve used for JOSE’s ES256.

You can now generate a private key:

openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem

This should give you a PEM file containing your EC private key, which looks something like the following:


Creating an EC Public Key from a Private Key Using OpenSSL

Now that you have your private key, you can use it to generate another PEM, containing only your public key.

openssl ec -in private-key.pem -pubout -out public-key.pem

This should give you another PEM file, containing the public key:

-----END PUBLIC KEY-----

Creating an EC Self-Signed Certificate Using OpenSSL

Now that you have a private key, you could use it to generate a self-signed certificate. This is not required, but it allows you to use the key for server/client authentication, or gain X509 specific functionality in technologies such as JWT and SAML.

openssl req -new -x509 -key private-key.pem -out cert.pem -days 360

This will again generate another PEM file, this time containing the certificate created by your private key:


You could leave things there, but if you are working on Windows, you may prefer a PFX file that contains both the certificate and the private key for you to export and use.

You can do this using OpenSSL’s pkcs12 command:

openssl pkcs12 -export -inkey private-key.pem -in cert.pem -out cert.pfx

OpenSSL will ask you to create a password for the PFX file. Feel free to leave this blank.

This should leave you with a certificate that Windows can both install and export the EC private key from.

A certificate, opened in Windows 10, showing that a private key corresponding to this certificate is present. A certificate, opened in Windows 10, showing that the key is for ECC and ECDSA_P256.

Learn more

To learn more about using ECDSA, check out my JOSE focussed article “Which signing algorithm should I use?”.

Scott Brady
Scott Brady

I help developers learn OAuth and web security.

I’m an engineering manager and software developer specializing in OAuth, FIDO2, web security, and ASP.NET Core.