Skip to main content
Skip table of contents

Set up elliptic curve cryptography encoding in Identity Manager

This article includes updates for Smart ID 23.10.3 and later.

This article describes how to set up Elliptic Curve Cryptography (ECC) encoding in Smart ID Identity Manager.

For more information, see Set up card encoding description template in Identity Manager.

Prerequisites
  • The type of the created keys is coded into the KeySize property. Supported curves are limited by Bouncy Castle, the PKCS#11 middleware, and the certificate authority. 

    The PKCS10SigningAlgorithm must be specified when using elliptic curves cryptography.

  • Supported CAs:
    • Smart ID Certificate Manager
    • EJBCA
    • QuoVadis
    • D-Trust
  • Supported middlewares:
Set up elliptic curve cryptography encoding

Edit the encoding description in which you want to use ECC and do the following:

  1. Use the KeySize property to code the type of the created keys. Set the value to ECC/ plus a curve name, for example, KeySize=ECC/prime256v1.
  2. Specify a suitable PKCS10SigningAlgorithm supported by the given card/middleware combination. Preferably, choose a SHA-2-based algorithm. SHA1_ECDSA should be used only if better options are unavailable.
Example: ECC encodings

Example: ECC encodings

CODE 
[Application_A]
CertTempl=SigCert
KeySize=ECC/prime256v1
PKCS10SigningAlgorithm=SHA256_ECDSA
 
[Application_B]
CertTempl=AuthCert
KeySize=ECC/brainpoolP256r1
PKCS10SigningAlgorithm=SHA256_ECDSA
Supported PKCS10SigningAlgorithms

Cryptovision 8 middleware
with CardOS 5.0/5.3 cards		TCOS 3 middleware
with TCOS 3 cards		TCOS 4 middleware
with TCOS 3/4 cards		CardOS API 5.5.5
with CardOS 5.0/5.3 cards
ECDSA_SHA1(tick) (tick)(tick) (tick) 
ECDSA_SHA224(tick)(error) (error) (error) 
ECDSA_SHA256(tick)(error)(tick) (error) 
ECDSA_SHA384(tick)(error)(error) (error) 
ECDSA_SHA512(tick)(error)(error) (error) 
Supported curves

The table below contains a subset of the supported curves. This is not an exhaustive list, there are many other curves that may or may not be supported.

Curve name

(alternative names)

Cryptovision 8 middleware
with CardOS 5.0 cards		Cryptovision 8 middleware
with CardOS 5.3 cards		TCOS 3 middleware
with TCOS 3 cards		TCOS 4 middleware
with TCOS 3/4 cards		CardOS API 5.5.5
with CardOS 5.0 cards		CardOS API 5.5.5
with CardOS 5.3 cards

prime256v1

P-256

secp256r1

(tick)(tick)(tick)(tick)(tick)(tick)

P-224

secp224r1

(tick)(tick)(question)(question)(tick)(tick)
P-384
secp384r1		(tick)(tick)(tick)(tick)(tick)(tick)
P-521
secp521r1		(error)(tick)(error)(error)(tick)(tick)
brainpoolP160t1(tick)(tick)(question)(question)(error)(error)
brainpoolP256t1(tick)(tick)(tick)(tick)(error)(error)
brainpoolP384t1(tick)(tick)(tick)(tick)(error)(error)
brainpoolP512t1(error)(tick)(tick)(tick)(error)(error)

brainpoolIP192r1

(tick)(tick)(tick)(tick)(tick)(tick)

brainpoolIP256r1

(tick)(tick)(tick)(tick)(tick)(tick)

brainpoolIP320r1

(tick)(tick)(tick)(tick)(tick)(tick)

brainpoolIP512r1

(error)(tick)(tick)(tick)(tick)(tick)
secp256k1(error)(tick)(question)(question)(tick)(tick)
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close