什么是ECC?

椭圆加密算法（ECC）是一种公钥加密体制，最初由Koblitz和Miller两人于1985年提出，其数学基础是利用椭圆曲线上的有理点构成Abel加法群上椭圆离散对数的计算困难性。
与经典的RSA，DSA等公钥密码体制相比，椭圆密码体制有以下优点：
较短的密钥大小,使用较小的Key实现和RSA同等的安全性,更低的CPU消耗,节省带宽。
224 Bit ECC = 2048 Bit RSA
256 Bit ECC = 3072 Bit RSA
384 Bit ECC = 7680 Bit RSA
512 Bit ECC = 15360 Bit RSA

如何配置

步骤还是和RSA证书一样生成用Openssl私钥和公钥
生成私钥
openssl ecparam -out im66.key -name secp384r1 -genkey
其中name后的密钥长度可以自己改默认256,我改成了384。
保护key文件
chmod 400 im66.key

自签名测试
openssl req -new -sha384 -x509 -key im66.key -out im66_test.crt -days 365
因为是自签名信息随便填.

修改 Nginx 配置
vi /usr/local/nginx/conf/nginx.conf
找到ssl_certificate和ssl_certificate_key 替换
其他部分略:
ssl_certificate im66_test.crt.crt;
ssl_certificate_key im66.key;

重新载入配置
nginx -s reload

第三方签署证书

前面的由于是自签名,浏览器不信任,出现证书错误的提示.
下面把证书生成CSR提交给可信CA.
openssl req -new -sha256 -key im66.key -nodes -out www.im66.csr
填写信息:
Country Name (2 letter code) [AU]: (国家)
State or Province Name (full name) [Some-State]: (省份)
Locality Name (eg, city) []: (城市)
Organization Name (eg, company) []: (组织名称)
Organizational Unit Name (eg, section) []: (部门”.)
Common Name (eg, YOUR name) []: (名字,这里注意要写你的域名)
Email Address []: (你的邮箱地址)

A challenge password 和 An optional company name 直接留空。

完成后生成www.im66.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIBjTCCARMCAQAwezELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlpKMQ8wDQYDVQQH
DAZOaW5nYm8xDzANBgNVBAoMBlBjc3RhcjENMAsGA1UECwwEU3RhcjETMBEGA1UE
AwwKKi5pbTY2Lm5ldDEZMBcGCSqGSIb3DQEJARYKaUBpbTY2Lm5ldDB2MBAGByqG
SM49AgEGBSuBBAAiA2IABBO0UMf8ccFBzawCEwvtApGMxAFlED17/Nk5s6hl/Str
JdsjvyzqxEp9iyB5Os3VLmaScxfnfmYsv/whjkgLSvoljPeDG4Mtb3aBcFW1OdlM
9uHAUODLH24yY4o/ufu3i6AZMBcGCSqGSIb3DQEJAjEKDAhpbTY2Lm5ldDAKBggq
hkjOPQQDAgNoADBlAjA6ZwyLD8iMEPrHp4mkk5fGk5oGTeuC5yZ/3s++9L2G3YYH
L1xIa5cqolW242GAmc4CMQDD6EFhcxA2YxlznvWjXCKq19g5+N6ovI5gqYrQYgE5
Mlo3TBXzL+it8n2lZK/IAyU=
-----END CERTIFICATE REQUEST-----

接下来就提交证书。多数证书发型机构提交都不支持ECC,如免费的StartSSL、Wosign.
这里使用的是comodo免费3个月的证书。
申请步骤跳过
申请完后收到comodo发来的邮件附件 你的证书.zip
解压打开证书文件,把多个证书合并成一个。
im66_net.crt COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt
可以用文本编辑软件，也可以Linux下cat 这里就不多讲了。

-----BEGIN CERTIFICATE-----
MIIDyTCCA3CgAwIBAgIQVZ7LYUp/KrhQ4Mds2XpU+TAKBggqhkjOPQQDAjCBkDEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMT
LUNPTU9ETyBFQ0MgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAe
Fw0xNTEwMTYwMDAwMDBaFw0xNjAxMTQyMzU5NTlaMEkxITAfBgNVBAsTGERvbWFp
biBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UECxMIRnJlZSBTU0wxETAPBgNVBAMT
CGltNjYubmV0MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEE7RQx/xxwUHNrAITC+0C
kYzEAWUQPXv82TmzqGX9K2sl2yO/LOrESn2LIHk6zdUuZpJzF+d+Ziy//CGOSAtK
+iWM94Mbgy1vdoFwVbU52Uz24cBQ4MsfbjJjij+5+7eLo4IB0zCCAc8wHwYDVR0j
BBgwFoAUu/oI4L9U7lr9FqQ1AgmppMjs/UswHQYDVR0OBBYEFE42m0sbxWa+8fJT
HF8nDb8FpsoGMA4GA1UdDwEB/wQEAwIFgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIH
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9FQ0NEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGF
BggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2Eu
Y29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAhBgNVHREEGjAY
gghpbTY2Lm5ldIIMd3d3LmltNjYubmV0MAoGCCqGSM49BAMCA0cAMEQCIEVA7r4I
UgoG25hBrttw7FjSnnzJGa7NESmvcRDANbHLAiAejXAtyVekPHTu7eLCzofZROdu
EjKecYWxRyQ0phxFug==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDnTCCAyKgAwIBAgIQUQYB5jtQZzxV7k4Z2jBMqDAKBggqhkjOPQQDAzCBhTEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT
IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMzEzMDAw
MDAwWhcNMjkwMzEyMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy
ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N
T0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBFQ0MgRG9tYWluIFZhbGlk
YXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BIg2jdgJVPWaKXk+JD06oiTxihgKVH3tQCza8LqO2YT1Rd03cJEkrLoU61FoIN3S
SFUAXW9E7ggci/lVXySaVIOjggFlMIIBYTAfBgNVHSMEGDAWgBR1cacZSBm8nZ3q
QUfflMRId5nTeTAdBgNVHQ4EFgQUu/oI4L9U7lr9FqQ1AgmppMjs/UswDgYDVR0P
AQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwTAYDVR0f
BEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPRUNDQ2Vy
dGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUF
BzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9FQ0NBZGRUcnVzdENB
LmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMAoGCCqG
SM49BAMDA2kAMGYCMQDtilgEuIgqZMub1nOMLJwPVr3Lrs/A4RVYuImPsVNTtWG6
5FL7j6YooeQtlSxIViACMQDvavtMsSKuUzwaH3x8vVhGiljleoI0iloIE64Adby0
id6I7ObgYgAsmupHtaSvojI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIQQ1ICP/qokB8Tn+P05cFETjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MHYwEAYHKoZI
zj0CAQYFK4EEACIDYgAEA0d7L3XJghWF+3XkkRbUq2KZ9T5SCwbOQQB/l+EKJDwd
AQTuPdKNCZcM4HXk+vt3iir1A2BLNosWIxatCXH0SvQoULT+iBxuP2wvLwlZW6Vb
CzOZ4sM9iflqLO+y0wbpo4H+MIH7MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
veAky1QaMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwSQYDVR0f
BEIwQDA+oDygOoY4aHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAB
hh5odHRwOi8vb2NzcC50cnVzdC1wcm92aWRlci5jb20wDQYJKoZIhvcNAQEMBQAD
ggEBAB3H+i5AtlwFSw+8VTYBWOBTBT1k+6zZpTi4pyE7r5VbvkjI00PUIWxB7Qkt
nHMAcZyuIXN+/46NuY5YkI78jG12yAA6nyCmLX3MF/3NmJYyCRrJZfwE67SaCnjl
lztSjxLCdJcBns/hbWjYk7mcJPuWJ0gBnOqUP3CYQbNzUTcp6PYBerknuCRR2RFo
1KaFpzanpZa6gPim/a5thCCuNXZzQg+HCezF3OeTAyIal+6ailFhp5cmHunudVEI
kAWvL54TnJM/ev/m6+loeYyv4Lb67psSE/5FjNJ80zXrIRKT/mZ1JioVhCb3ZsnL
jbsJQdQYr7GzEPUQyp2aDrV1aug=
-----END CERTIFICATE-----

之后更改nginx中的ssl_certificate为im66_net.crt； reload配置生效。

SSLlabs Server Test A+

ECC的不足

说了这么多其实ECC还是有缺点的,就是浏览器支持兼容程度。
按照ssllabs的测试；ECC证书在XP系统上不可用，即使是SP3&IE8也不行。Android 2.3系统、Java 6u45、OpenSSL 0.9.8y也不支持。
完整的支持列表:

Internet Explorer 8 and later
Firefox 19
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later)
Mobile Browsers
Mobile Safari for iOS 4.0
Android 3.0 (Honeycomb) and later
Windows Phone 7