# Generate ECDSA root key and certificate ECDSA offers superior security and performance compared to the RSA signature algorithm. As a result, the default configuration in Sectools supports ECDSA signing. With ECDSA, two types of keys are created: - The public key, which is accessible to everyone. - The private key, which is only known to the owner of the key pair. Note To avoid copying any special characters along with the commands, it is recommended that you manually type the commands on the command prompt or a notepad before execution. You can modify and run the following ECDSA-specific commands to generate the root key and certificate: 1. Navigate to the `OEM-KEYS` directory and generate the ECDSA root key and certificate: cd ./OEM-KEYS openssl ecparam -genkey -name secp384r1 -outform PEM -out qpsa_rootca.key Copy to clipboard openssl req -new -key qpsa_rootca.key -sha384 -out rootca_pem.crt -subj '/C=US/CN=Generated OEM Root CA/OU=CDMA Technologies/OU=General Use OEM Key (OEM should update all fields)/L=San Diego/O=SecTools/ST=California' -config opensslroot.cfg -x509 -days 7300 -set_serial 1 Copy to clipboard openssl x509 -in rootca_pem.crt -inform PEM -out qpsa_rootca.cer -outform DER Copy to clipboard 2. Generate the intermediate certificate authority (CA) key pair and certificate: openssl ecparam -genkey -name secp384r1 -outform PEM -qpsa_attestca.key Copy to clipboard openssl req -new -key qpsa_attestca.key -out ca.CSR -subj '/C=US/ST=California/CN=Generated OEM Attestation CA/O=SecTools/L=San Diego' -config opensslroot.cfg -sha384 Copy to clipboard openssl x509 -req -in ca.CSR -CA rootca_pem.crt -CAkey qpsa_rootca.key -out ca_pem.crt -set_serial 1 -days 7300 -extfile v3.ext -sha384 -CAcreateserial Copy to clipboard openssl x509 -inform PEM -in ca_pem.crt -outform DER -out qpsa_attestca.cer Copy to clipboard Last Published: Jan 30, 2025 [Previous Topic Generate local (insecure) root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/generate-local-insecure-root-key-and-certificates.md) [Next Topic Generate RSA client application key pair and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/generate-rsa-root-ca-key-pair-and-certificate.md)