How to find out if a certificate has an elliptic curve or an RSA key

You can use openssl to find out if your certificate is using an elliptic curve (e.g. ECDSA) or an RSA key using the following command, replacing cert.pem by the path of your certificate:

If the certficate’s key is an elliptic curve key, it will print:

If the certficate’s key another type of key like a RSA key, it will print:

How it works

First we tell OpenSSL to print info about the certificate:

Then we grep for ecPublicKey. This is because for elliptic curve keys, the output of the aforementioned openssl command contains

    Public Key Algorithm: id-ecPublicKey
        Public-Key: (384 bit)
        pub:

whereas for RSA keys it looks like this:

    Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
        Modulus:

The grep command is piped to /dev/null since we’re not interested in its output but only in its return code (which is available as $? in the shell). grep returns a return code of 0 if and only if it finds at least one match in the input. Otherwise, it has a return code of 1. In our case, this means that we’ll get a return code of 0 if ecPublicKey appears anywhere in the output. We assume that this string will only ever occur in the Subject Public Key Info: section. While in theory it is possible that ecPublicKey appears in some user-defined fields of the certificate, this is extremely unlikely to happen and could be mitigated by using a regular expression in grep

We can then use this bash snippet:

then
    # TODO insert code if grep does NOT find anything
else
    # TODO insert code if grep finds at least one line
fi

which we use like this:

i.e. depending on the return code of grep, we will print the correct message.