What openssl command to use with ECC key

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
openssl rsa -outform der -in /etc/letsencrypt/live/c.jssi.com/privkey.pem -out c.jssi.com.server.key
It produced this output:
139866769585472:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
root@fringe:/home/fringeadmin# grep '^VERSION' /etc/os-release

My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 20.04.6 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.4.0

When I generated the key using the command "sudo certbot certonly --manual, " I chose Update not knowing it created a key with ECC format. My boss does not want to generate another key in RSA. Now if I want to run the same command for ECC instead of RSA, what Openssl options should I use instead of "openssl rsa -outform der -in /etc/letsencrypt/live/c.jssi.com/privkey.pem -out c.jssi.com.server.key?"

Thanks Much

1 Like

Most likely openssl ec.


Hello @mw6sense, welcome to the Let's Encrypt community. :slightly_smiling_face:

Why is this needed?

openssl genpkey -algorithm EC -out $PRIVATE_KEY_FILENAME -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve

Bruce, genpkey doesn't accept an input key, so can't be used in OPs situation.


I need the certificate for my Citrix Netscaler portal.

1 Like

OK; I was just trying to answer the OPs Help Topic Title "What openssl command to use with ECC key".
And I read that as not a supplied key but to generate the key.

1 Like

Nope, see:

@mw6sense Please see my first post.


I've used this for both ECC & RSA

openssl pkey -in $PRIVATE_KEY_FILENAME -pubout -out $PUBLIC_KEY_FILENAME
1 Like

As far as I know and I am new to maintain the certificate renewal. The letsencrypt certificate needs to be converted in order to be compatible for the netscaler site. Does this make sense?

What does netscaler say is needed?


A certifcate that Netscale can understand. I ran this command and it worked "openssl x509 -outform der -in /etc/letsencrypt/live/c.jssi.com/cert.pem -out c.jssi.com.server.cer" but the other command errored out. Obviously, I used the openssl rsa option which were bad.

I guess my question is what certificates does Netscale say it can understand?


And the OpenSSL Manpages are here: /docs/manpages.html


I may give this command a try if this would work. Thanks.


I've use that for .pem for the -in and for the -out getting a .pem
Here is an example -out .pem

-----END PUBLIC KEY-----

No worries. Problem resolved. My boss just got a new key with this command "sudo certbot certonly --manual --email -d c.jssi.com --key-type rsa --rsa-key-size 4096" and avoid the ECC mistake.

Thanks for everyone's help!


This is probably the correct manpage /docs/man3.0/man1/openssl-pkey.html
or these for openssl 1.1.1

1 Like

Certbot generates certificates in a format commonly known as PEM which is a text based encoding of the binary certificate data. The openssl x509 -outform der command you ran essentially converts it to the native binary format also known as DER. The openssl rsa <blah> command you previously ran only operates on RSA keys, not certs. And there's an equivalent key-specific command for EC keys.

In any case, if you were able to successfully upload that DER version of the EC certificate, it means your device likely does support EC certs in general and you didn't need to switch back to RSA. I'm curious though whether you needed to convert the PEM based RSA cert to DER as well? It would seem odd to me if the device required DER for EC certs, but could use DER or PEM for RSA certs.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.