A.2. ECC Algorithms and Curves

Certificate System does not include a module natively to enable ECC, but it is possible to load and use a third-party PKCS #11 module with ECC-enabled. This is covered in Chapter 9, Installing an Instance with ECC Enabled.

The following algorithms are available for ECC keys:

SHA256withEC (the default)
SHA1withEC
SHA384withEC
SHA512withEC

The curves available for ECC keys are listed in Table A.1, “ECC Curves”.

NOTE

The only supported curve for the TPS is nistp256.

IMPORTANT

While Certificate System supports all of these curves, hardware security modules or servers may not support some of these curves. Check with the hardware vendor when determining what curves to use.

Table A.1. ECC Curves

Curve Family	Supported Curves
NIST, SEC2 Prime	secp521r1 and nistp521 nistp521 secp384r1 and nistp384 nistp384 secp256r1 and nistp256 nistp256 secp256k1 secp224r1 and nistp224 nistp224 secp224k1 secp192r1 and nistp192 nistp192 secp192k1 secp160r2 secp160r1 secp160k1 secp128r2 secp128r1 secp112r2 secp112r1
NIST, SEC2 Binary	sect571r1 and nistb571 nistb571 sect571k1 and nistk571 nistk571 sect409r1 and nistb409 nistb409 sect409k1 and nistk409 nistk409 sect283r1 and nistb283 nistb283 sect283k1 and nistk283 nistk283 sect239k1 sect233r1 and nistb233 nistb233 sect233k1 and nistk233 nistk233 sect193r2 sect193r1 nistb163 sect163r2 and nistb163 sect163r1 sect163k1 and nistk163 nistk163 sect131r2 sect131r1 sect113r2 sect113r1
ANSI X9.62 Prime	prime239v3 prime239v2 prime239v1 prime192v3 prime192v2 prime192v1 and nistp192 prime256v1 and nistp256
ANSI X9.62 Binary	c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 c2tnb191v1 c2tnb191v2 c2tnb191v3 c2onb191v4 c2onb191v5 c2pnb208w1 c2tnb239v1 c2tnb239v2 c2tnb239v3 c2onb239v4 c2onb239v5 c2pnb272w1 c2pnb304w1 c2tnb359v1 c2pnb368w1 c2tnb431r1