Show Table of Contents
Chapter 9. Installing an Instance with ECC System Certificates
Elliptic curve cryptography (ECC) may be preferred over RSA-style encryption in some cases, as it allows it to use much shorter key lengths and makes it faster to generate certificates. CAs which are ECC-enabled can issue both RSA and ECC certificates, using their ECC signing certificate.
Certificate System includes native support for ECC features; the support is enabled by default starting from NSS 3.16. It is also possible to load and use a third-party PKCS #11 module, such as a hardware security module (HSM). To use the ECC module, it must be loaded before the subsystem instance is configured.
Important
Third-party ECC modules must have an SELinux policy configured for them, or SELinux needs to be changed from
enforcing mode to permissive mode to allow the module to function. Otherwise, any subsystem operations which require the ECC module will fail.
9.1. Loading a Third-Party ECC Module
Loading a third-party ECC module follows the same principles as loading HSMs supported by Certificate System, which is described in Chapter 8, Using Hardware Security Modules for Subsystem Security Databases. See this chapter for more information.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.