OpenSSL（公開鍵：ECC256、署名アルゴリズム：sha256ECDSA）※prime256v1：P-256

・構築
bash-3.00# cd /usr/local/sslbash-3.00# cp openssl.cnf openssl-ECprime256v1.cnf
bash-3.00# vi openssl-ECprime256v1.cnf
＜変更点＞
[CA_default]
dir = ./demoCA
↓
dir = ./ECprime256v1
default_days = 365
↓
default_days = 3650
default_md = default
↓
default_md = sha256
[req_distinguished_name]
st、l、emailをコメント
[policy_match]
st、lをmatchからoptional
bash-3.00# cp misc/CA.sh misc/ECprime256v1.sh
bash-3.00# vi misc/ECprime256v1.sh
＜変更点＞
demoCA
↓
ECprime256v1CA
CA_DAYS="-days 1095"
↓
CA_DAYS="-days 3650"
-newca)
..
     $REQ -new -keyout ${CATOP}/private/$CAKEY \
      -out ${CATOP}/$CAREQ
↓
-newca)
..
     $OPENSSL ecparam -genkey -name prime256v1 -out ${CATOP}/private/$CAKEY
     $REQ -new -sha256 -key ${CATOP}/private/$CAKEY \
      -out ${CATOP}/$CAREQ
bash-3.00# SSLEAY_CONFIG="-config /usr/local/ssl/openssl-ECprime256v1.cnf"
bash-3.00# export SSLEAY_CONFIG
bash-3.00# cd /usr/local/ssl
bash-3.00# misc/ECprime256v1.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:jp
Organization Name (eg, company) [Internet Widgits Pty Ltd]:openam
Organizational Unit Name (eg, section) []:openam.net
Common Name (e.g. server FQDN or YOUR name) []:OpenSSL ECprime256v1
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/openssl-ECprime256v1.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            fc:ca:db:0a:8e:f5:ce:9c
        Validity
            Not Before: Apr 26 20:53:05 2012 GMT
            Not After : Apr 24 20:53:05 2022 GMT
        Subject:
            countryName               = jp
            organizationName          = openam
            organizationalUnitName    = openam.net
            commonName                = OpenSSL ECprime256v1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9C:75:4F:D2:F1:DB:B5:C7:64:C7:05:6E:A5:4B:FE:8B:F6:32:E7:26
            X509v3 Authority Key Identifier:
                keyid:9C:75:4F:D2:F1:DB:B5:C7:64:C7:05:6E:A5:4B:FE:8B:F6:32:E7:26
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
Certificate is to be certified until Apr 24 20:53:05 2022 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

・出来上がったCA証明書（抜粋）

＜参考＞
・同じ方が書かれたみたい
http://researchmap.jp/?action=cv_download_main&upload_id=11085
http://www.ipa.go.jp/security/fy22/reports/tech1-tg/a_01.html