Chapter 9. Installing an Instance with ECC System Certificates

Elliptic curve cryptography (ECC) may be preferred over RSA-style encryption in some cases, as it allows it to use much shorter key lengths and makes it faster to generate certificates. CAs which are ECC-enabled can issue both RSA and ECC certificates, using their ECC signing certificate.
Certificate System includes native support for ECC features; the support is enabled by default starting from NSS 3.16. It is also possible to load and use a third-party PKCS #11 module, such as a hardware security module (HSM). To use the ECC module, it must be loaded before the subsystem instance is configured.


Third-party ECC modules must have an SELinux policy configured for them, or SELinux needs to be changed from enforcing mode to permissive mode to allow the module to function. Otherwise, any subsystem operations which require the ECC module will fail.

9.1. Loading a Third-Party ECC Module

Loading a third-party ECC module follows the same principles as loading HSMs supported by Certificate System, which is described in Chapter 8, Using Hardware Security Modules for Subsystem Security Databases. See this chapter for more information.