This section applies to all ciphers with names beginning:

  • ECDH-ECDSA-
  • ECDHE-ECDSA-

As implied by the names, these ciphers require an ECDSA certificate, but it can be self-signed.

For these ciphers, the following openssl command line example from a Linux system creates a self-signed certificate for testing with the proper SSL options. The second command concatenates the key and certificate into a single file for input into the LoadMaster WUI.

openssl ecparam -name secp521r1 -param_enc named_curve -genkey -out private-key.pem openssl req -new -x509 -key private-key.pem -out server-pub.pem -days 730
 
cat private-key.pem server-pub.pem > server.pem
Note: The -param_enc explicit option must not be used in the command line above, or the resulting certificate will be rejected when used to negotiate a secure connection.

If you plan to use a certificate signed by a Certificate Authority (CA), ensure to specify an ECDSA-signed certificate when creating a CSR for a certificate to be used with this cipher.