9.3. Installing an Instance with ECC Enabled

Elliptic curve cryptography (ECC) is much more secure than the more common RSA-style encryption, which allows it to use much shorter key lengths and makes it faster to generate certificates. CAs which are ECC-enabled can issue both RSA and ECC certificates, using their ECC signing certificate.
Certificate System does not include a module natively to enable ECC, but it is possible to load and use a third-party PKCS #11 module with ECC-enabled.
To use the ECC module, it must be loaded before the subsystem instance is configured.


Third-party ECC modules must have an SELinux policy configured for them, or SELinux needs to be changed from enforcing mode to permissive mode to allow the module to function. Otherwise, any subsystem operations which require the ECC module will fail.

9.3.1. Loading a Third-Party ECC Module

  1. Copy the third-party module to a common directory, like /usr/lib for 32-bit systems or /usr/lib64 for 64-bit systems.
  2. Create a new instance by running pkicreate, but do not go through the configuration wizard.
  3. Stop the instance.
    service instance_name stop
  4. The subsystem user runs as the pkiuser user. As root, create a home directory for pkiuser.
    /usr/sbin/usermod --home /usr/share/pki/pkiuser pkiuser 
    cd /usr/share/pki
    mkdir pkiuser
    export HOME
  5. Install the third-party module in the instance's security databases so it is available for the configuration.
    cd /var/lib/instance_name/alias
    modutil -dbdir . -nocertdb -add THIRD_PARTY_MODULE -libfile /usr/lib/libYourNewModule.so
    This creates a directory called THIRD_PARTY_MODULE in the new home directory created for root (the new pkiuser home directory). For example, if the module's name is EccForPki, then the directory is named .EccForPki/
  6. Using modutil, set the password for the new ECC module token.
    modutil -dbdir . -nocertdb -changepw "THIRD_PARTY_MODULE_TOKEN"
  7. Change the ownership of the new home directory from root to pkiuser.
    cd /usr/share/pki
    chown -R pkiuser:pkiuser pkiuser
  8. Add the password for the ECC token to the instance's password file.
    vim /etc/instance_name/password.conf
    The hardware- prefix is required.
  9. Edit the instance configuration and add a line to require signature verification. For example:
  10. Start the instance.
    service instance_name start
  11. Continue with the instance configuration, with two important configuration settings:
    • In the Key Store panel, the ECC module should be listed as an available token. Select that module for the key store.
    • In the Key Pairs panel, ECC should be listed as an option to use to generate the keys used for the CA's certificates. Select the ECC key type.
  12. After completing the configuration for the instance, assuming it is a Java subsystem, try to log into the console.
    pkiconsole https://server.example.com:admin_port/subsystem_type
    This fails, because the console is not yet configured to run with ECC enabled. However, this does create the security databases for the console, so the ECC module can be loaded.
  13. Load the ECC module into the console security databases.
    cd ~/.redhat-idm-console/
    modutil -dbdir . -nocertdb -add THIRD_PARTY_MODULE -libfile /usr/lib/libYourNewModule.so
    Now, logging into the console succeeds.