Generating RSA certificate for ECC public key

[rathorearvind19]

Can I generate RSA certificate for ECC public key? I want the terminal to have ECC private/public key pair but DV and CVCA to have RSA key pairs. In that case, can I generate RSA certificate for IS's ECC key pair? It doesn't seem it is supported but ideally should be possible.

Here is the batch script I am running:

SET seq=003
SET CA=DETestingCV
SET DV=DETESTDVDE
SET IS=DETESTISDE
SET SCHEME=RSA_v1_5_SHA_256
SET KEY_SIZE=2048

openssl genrsa -out %CA%%seq%.pem %KEY_SIZE%
openssl pkcs8 -topk8 -nocrypt -in %CA%%seq%.pem -outform DER -out %CA%%seq%.pkcs8
cvc-create --role=cvca --type=at --chr=%CA%%seq% --valid=365 --sign-key=%CA%%seq%.pkcs8 --scheme=%SCHEME%

openssl genrsa -out %DV%%seq%.pem %KEY_SIZE%
openssl pkcs8 -topk8 -nocrypt -in %DV%%seq%.pem -outform DER -out %DV%%seq%.pkcs8
openssl rsa -in %DV%%seq%.pem -out %DV%%seq%.pub -pubout -outform DER
cvc-create --role=dv_domestic --type=at --chr=%DV%%seq% --valid=180 --sign-key=%CA%%seq%.pkcs8 --scheme=%SCHEME% --sign-as=%CA%%seq%.cvcert --public-key=%DV%%seq%.pub

openssl ecparam -out %IS%%seq%.pem -name prime256v1 -genkey
openssl pkcs8 -topk8 -nocrypt -in %IS%%seq%.pem -outform DER -out %IS%%seq%.pkcs8
cvc-create --chr=%IS%%seq% --scheme=%SCHEME% --sign-key=%IS%%seq%.pkcs8 --out-cert=%IS%%seq%.cvreq --req-car=%DV%%seq%
cvc-create --role=terminal --type=at --valid=60 --sign-key=%DV%%seq%.pkcs8 --sign-as=%DV%%seq%.cvcert --request=%IS%%seq%.cvreq

and the error I am getting:

Traceback (most recent call last):
File "\Anaconda3\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "\Anaconda3\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "*\Anaconda3\Scripts\cvc-create.exe_main.py", line 7, in
File "\Anaconda3\lib\site-packages\cvc\tools\cvc_create.py", line 233, in run
main(args)
File "\Anaconda3\lib\site-packages\cvc\tools\cvc_create.py", line 175, in main
pub_key = rsa.RSAPublicNumbers(int.from_bytes(CVC().decode(data).pubkey().find(0x82).data(), 'big'), int.from_bytes(CVC().decode(data).pubkey().find(0x81).data(), 'big')).public_key()
File "\Anaconda3\lib\site-packages\cryptography\hazmat\primitives\asymmetric\rsa.py", line 413, in public_key
return ossl.load_rsa_public_numbers(self)
File "\Anaconda3\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py", line 573, in load_rsa_public_numbers
rsa._check_public_key_components(numbers.e, numbers.n)
File "*\Anaconda3\lib\site-packages\cryptography\hazmat\primitives\asymmetric\rsa.py", line 201, in _check_public_key_components
raise ValueError("e must be odd.")
ValueError: e must be odd.

[polhenarejos]

No, you cannot do that. As per specifications, terminal certificates (and also DV) must use the same key params as CVCA. If CVCA uses RSA, all the trust chain must use RSA. This also applies for ECC: if CVCA uses specific elliptic curve, subsequent DV and terminal certificates must use the same curve. You cannot mix them.

[rathorearvind19]

Makes sense. Thanks.
I was trying to use ECC key pair for ECDH for terminal but all the certificates in the trust chain (CVCA, DV, terminal) are signed with RSA keys. I think that works and was able to generate certificates.

[skanster]

Hello
Here a sample script for renew a cert with the same Key

cvc-create --role=cvca --type=at --sign-as=ZZATCVCA00001.cvcert --chr=ZZATCVCA00002 --days=365 --sign-key=ZZATCVCA00001.pkcs8 --scheme=ECDSA_SHA_256