Step 1: Generate an ECC Key Pair

You can complete each step using your preferred software or cryptographic library. For demonstration purposes, we used the OpenSSL library.

Generate a private key

Run the following command to generate a 256-bit ECC private key:

openssl ecparam -genkey -name prime256v1 -out private_key.pem

ℹ️
Remember, you'll need this Private key to create your secret. This is necessary for Qualified sealing in the production environment.

Execute the following command to extract the public key:

openssl ec -in private_key.pem -pubout -out public_key.pem

Create a text file containing the message to sign (e.g., message.txt):

echo "This is a test message" > message.txt

Use the private key to sign the message by running the following command:

openssl dgst -sha256 -sign private_key.pem -out signature.bin message.txt

This command creates a signature.bin file containing the message's signature.

Use the public key to verify the signature. Execute the following command:

openssl dgst -sha256 -verify public_key.pem -signature signature.bin message.txt

If the signature is valid, you will see a message indicating "Verified OK".
If the signature is invalid, you will receive an error message.

To protect your private key, follow these best practices:

Do not expose the private key: never store the private key in a publicly accessible location or your source code.
Use strict file permissions: ensure that only authorized users have access to the private key file.
Key vault: consider using a secret key vault to securely store your keys in a production environment.

Perform regular audits to verify that your security practices are being followed and monitor access to your system.