此内容没有您所选择的语言版本。
Chapter 9. Installing an Instance with ECC System Certificates
Elliptic curve cryptography (ECC) may be preferred over RSA-style encryption in some cases, as it allows it to use much shorter key lengths and makes it faster to generate certificates. CAs which are ECC-enabled can issue both RSA and ECC certificates, using their ECC signing certificate.
Certificate System includes native support for ECC features; the support is enabled by default starting from NSS 3.16. It is also possible to load and use a third-party PKCS #11 module, such as a hardware security module (HSM). To use the ECC module, it must be loaded before the subsystem instance is configured.
Important
Third-party ECC modules must have an SELinux policy configured for them, or SELinux needs to be changed from
enforcing
mode to permissive
mode to allow the module to function. Otherwise, any subsystem operations which require the ECC module will fail.
9.1. Loading a Third-Party ECC Module
Loading a third-party ECC module follows the same principles as loading HSMs supported by Certificate System, which is described in Chapter 8, Using Hardware Security Modules for Subsystem Security Databases. See this chapter for more information.