EC keys: omit the "EC PARAMETERS" section (use ecparam -noout flag) #538

New Issue

adam · 2025-12-29T01:27:01+01:00

adam commented

2025-12-29 01:27:01 +01:00

Originally created by @candlerb on GitHub (Jul 5, 2021).

When dehydrated creates an EC private key file, it looks like this:

However, the go standard libraries will not read a key with this parameters section, and therefore this affects any application written in go, such as minio.

There is more detail in this stackexchange answer. In short:

openssl ecparam  -name secp256k1 -genkey

outputs the EC PARAMETERS and EC PRIVATE KEY sections, but it can be fixed by adding flag -noout to get just the key:

openssl ecparam  -name secp256k1 -genkey -noout

I note that dehydrated uses the -out flag to write to a file, but this works correctly when combined with -noout:

$ openssl ecparam -genkey -name secp256k1 -out /tmp/testkey.pem -noout
$ cat /tmp/testkey.pem
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEICBUsojUHjuOipCd8V/Xvx6L4RYkSDVxN1VrGh+PyNDpoAcGBSuBBAAK
oUQDQgAE6igR6a0u3kGJfRMJTPBH5G3n/LKsQ2ypiHXgGu8G6PGAGQCJ6KEcd+i5
gL46KTVRVjWPafRuBAtG7lyQPiDTbA==
-----END EC PRIVATE KEY-----
$

Therefore, my suggestion is to add -noout in the two places which call openssl ecparam.

Workaround: it is possible to use a hook script to filter the key before passing it to the application, e.g.

openssl ec -in /etc/dehydrated/certs/example.com/privkey.pem -out /usr/local/etc/fixedkey.pem

It would be nice not to have to do that though.

Originally created by @candlerb on GitHub (Jul 5, 2021). When dehydrated creates an EC private key file, it looks like this: ``` -----BEGIN EC PARAMETERS----- xxxxxxxxxxxxxx -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxx -----END EC PRIVATE KEY----- ``` However, the go standard libraries will not read a key with this parameters section, and therefore this affects any application written in go, such as [minio](https://github.com/minio/minio/issues/11208#issuecomment-753569648). There is more detail in [this stackexchange answer](https://security.stackexchange.com/questions/29778/why-does-openssl-writes-ec-parameters-when-generating-private-key). In short: ``` openssl ecparam -name secp256k1 -genkey ``` outputs the EC PARAMETERS and EC PRIVATE KEY sections, but it can be fixed by adding flag `-noout` to get just the key: ``` openssl ecparam -name secp256k1 -genkey -noout ``` I note that dehydrated uses the `-out` flag to write to a file, but this works correctly when combined with `-noout`: ``` $ openssl ecparam -genkey -name secp256k1 -out /tmp/testkey.pem -noout $ cat /tmp/testkey.pem -----BEGIN EC PRIVATE KEY----- MHQCAQEEICBUsojUHjuOipCd8V/Xvx6L4RYkSDVxN1VrGh+PyNDpoAcGBSuBBAAK oUQDQgAE6igR6a0u3kGJfRMJTPBH5G3n/LKsQ2ypiHXgGu8G6PGAGQCJ6KEcd+i5 gL46KTVRVjWPafRuBAtG7lyQPiDTbA== -----END EC PRIVATE KEY----- $ ``` Therefore, my suggestion is to add `-noout` in the two places which call `openssl ecparam`. **Workaround:** it is possible to use a hook script to filter the key before passing it to the application, e.g. ``` openssl ec -in /etc/dehydrated/certs/example.com/privkey.pem -out /usr/local/etc/fixedkey.pem ``` It would be nice not to have to do that though.

adam closed this issue

2025-12-29 01:27:01 +01:00

adam commented

2025-12-29 01:27:02 +01:00

@lukas2511 commented on GitHub (Oct 31, 2021):

Should be fixed now. Hopefully this doesn't break any compatibility with other software 🙈

@lukas2511 commented on GitHub (Oct 31, 2021): Should be fixed now. Hopefully this doesn't break any compatibility with other software :see_no_evil:

adam referenced this issue

2025-12-29 01:29:42 +01:00

[PR #538] [CLOSED] deploy_ocsp timestamp parameter in example hook file is wrong #860

Sign in to join this conversation.