# Generate ECDSA root key and certificate ECDSA offers superior security and performance compared to the RSA signature algorithm. As a result, the default configuration in SecTools supports ECDSA signing. The following types of keys are created with ECDSA: - The public key, which is accessible to everyone. - The private key, which is only known to the owner of the key pair. You can modify and run the following ECDSA-specific commands to generate the root key and certificate: 1. Go to the `OEM-KEYS` directory and generate the ECDSA root key and certificate: cd ./OEM-KEYS openssl ecparam -genkey -name secp384r1 -outform PEM -out qpsa_rootca.key Copy to clipboard openssl req -new -key qpsa_rootca.key -sha384 -out rootca_pem.crt -subj '/C=US/CN=Generated OEM Root CA/OU=CDMA Technologies/OU=General Use OEM Key (OEM should update all fields)/L=San Diego/O=SecTools/ST=California' -config opensslroot.cfg -x509 -days 7300 -set_serial 1 Copy to clipboard openssl x509 -in rootca_pem.crt -inform PEM -out qpsa_rootca.cer -outform DER Copy to clipboard 2. Generate the intermediate Certificate Authority (CA) key pair and certificate: openssl ecparam -genkey -name secp384r1 -outform PEM -out qpsa_attestca.key Copy to clipboard openssl req -new -key qpsa_attestca.key -out ca.CSR -subj '/C=US/ST=California/CN=Generated OEM Attestation CA/O=SecTools/L=San Diego' -config opensslroot.cfg -sha384 Copy to clipboard openssl x509 -req -in ca.CSR -CA rootca_pem.crt -CAkey qpsa_rootca.key -out ca_pem.crt -set_serial 1 -days 7300 -extfile v3.ext -sha384 -CAcreateserial Copy to clipboard openssl x509 -inform PEM -in ca_pem.crt -outform DER -out qpsa_attestca.cer Copy to clipboard ## Next steps - To allow client applications to authenticate securely and enable encrypted communication, see [Generate RSA CA key pair and certificate](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-rsa-root-ca-key-pair-and-certificate.html#generate-rsa-root-ca-key-pair-and-certificate). - To enhance security, ensure data integrity, and support secure digital signatures, see [Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-sha-384-hash-for-rsa-and-ecdsa.html#generate-sha-384-hash-for-rsa-and-ecdsa). Last Published: Apr 10, 2025 [Previous Topic Generate local (insecure) root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-local-insecure-root-key-and-certificates.md) [Next Topic Generate RSA client application key pair and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-rsa-root-ca-key-pair-and-certificate.md)