diff --git a/package/utils/px5g/Makefile b/package/utils/px5g/Makefile
index 592d19663d..f4be6cb5ee 100644
--- a/package/utils/px5g/Makefile
+++ b/package/utils/px5g/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=px5g
-PKG_RELEASE:=8
+PKG_RELEASE:=9
 PKG_LICENSE:=LGPL-2.1
 
 PKG_USE_MIPS16:=0
@@ -52,7 +52,7 @@ ifeq ($(BUILD_VARIANT),standalone)
   TARGET_LDFLAGS := -Wl,-Bstatic $(TARGET_LDFLAGS) -Wl,-Bdynamic
 endif
 
-TARGET_CFLAGS += -Wl,--gc-sections
+TARGET_CFLAGS += -Wl,--gc-sections -Wall -Werror
 
 define Build/Compile
 	$(TARGET_CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -o $(PKG_BUILD_DIR)/px5g px5g.c $(TARGET_LDFLAGS)
diff --git a/package/utils/px5g/px5g.c b/package/utils/px5g/px5g.c
index f0fe4dcfd3..0b72154509 100644
--- a/package/utils/px5g/px5g.c
+++ b/package/utils/px5g/px5g.c
@@ -32,6 +32,7 @@
 
 #include <mbedtls/bignum.h>
 #include <mbedtls/x509_crt.h>
+#include <mbedtls/ecp.h>
 #include <mbedtls/rsa.h>
 #include <mbedtls/pk.h>
 
@@ -73,6 +74,23 @@ static void write_file(const char *path, int len, bool pem)
 	fclose(f);
 }
 
+static mbedtls_ecp_group_id ecp_curve(const char *name)
+{
+	const mbedtls_ecp_curve_info *curve_info;
+
+	if (!strcmp(name, "P-256"))
+		return MBEDTLS_ECP_DP_SECP256R1;
+	else if (!strcmp(name, "P-384"))
+		return MBEDTLS_ECP_DP_SECP384R1;
+	else if (!strcmp(name, "P-521"))
+		return MBEDTLS_ECP_DP_SECP521R1;
+	curve_info = mbedtls_ecp_curve_info_from_name(name);
+	if (curve_info == NULL)
+		return MBEDTLS_ECP_DP_NONE;
+	else
+		return curve_info->grp_id;
+}
+
 static void write_key(mbedtls_pk_context *key, const char *path, bool pem)
 {
 	int len = 0;
@@ -89,24 +107,33 @@ static void write_key(mbedtls_pk_context *key, const char *path, bool pem)
 	write_file(path, len, pem);
 }
 
-static void gen_key(mbedtls_pk_context *key, int ksize, int exp, bool pem)
+static void gen_key(mbedtls_pk_context *key, bool rsa, int ksize, int exp,
+		    mbedtls_ecp_group_id curve, bool pem)
 {
 	mbedtls_pk_init(key);
-	fprintf(stderr, "Generating RSA private key, %i bit long modulus\n", ksize);
-	mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
-	if (mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL, ksize, exp)) {
-		fprintf(stderr, "error: key generation failed\n");
-		exit(1);
+	if (rsa) {
+		fprintf(stderr, "Generating RSA private key, %i bit long modulus\n", ksize);
+		mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+		if (!mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL, ksize, exp))
+			return;
+	} else {
+		fprintf(stderr, "Generating EC private key\n");
+		mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
+		if (!mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key), _urandom, NULL))
+			return;
 	}
+	fprintf(stderr, "error: key generation failed\n");
+	exit(1);
 }
 
-int rsakey(char **arg)
+int dokey(bool rsa, char **arg)
 {
 	mbedtls_pk_context key;
 	unsigned int ksize = 512;
 	int exp = 65537;
 	char *path = NULL;
 	bool pem = true;
+	mbedtls_ecp_group_id curve = MBEDTLS_ECP_DP_SECP256R1;
 
 	while (*arg && **arg == '-') {
 		if (!strcmp(*arg, "-out") && arg[1]) {
@@ -120,10 +147,17 @@ int rsakey(char **arg)
 		arg++;
 	}
 
-	if (*arg)
+	if (*arg && rsa) {
 		ksize = (unsigned int)atoi(*arg);
+	} else if (*arg) {
+		curve = ecp_curve((const char *)*arg);
+		if (curve == MBEDTLS_ECP_DP_NONE) {
+			fprintf(stderr, "error: invalid curve name: %s\n", *arg);
+			return 1;
+		}
+	}
 
-	gen_key(&key, ksize, exp, pem);
+	gen_key(&key, rsa, ksize, exp, curve, pem);
 	write_key(&key, path, pem);
 
 	mbedtls_pk_free(&key);
@@ -146,20 +180,37 @@ int selfsigned(char **arg)
 	time_t from = time(NULL), to;
 	char fstr[20], tstr[20], sstr[17];
 	int len;
+	bool rsa = true;
+	mbedtls_ecp_group_id curve = MBEDTLS_ECP_DP_SECP256R1;
 
 	while (*arg && **arg == '-') {
 		if (!strcmp(*arg, "-der")) {
 			pem = false;
 		} else if (!strcmp(*arg, "-newkey") && arg[1]) {
-			if (strncmp(arg[1], "rsa:", 4)) {
-				fprintf(stderr, "error: invalid algorithm");
+			if (!strncmp(arg[1], "rsa:", 4)) {
+				rsa = true;
+				ksize = (unsigned int)atoi(arg[1] + 4);
+			} else if (!strcmp(arg[1], "ec")) {
+				rsa = false;
+			} else {
+				fprintf(stderr, "error: invalid algorithm\n");
 				return 1;
 			}
-			ksize = (unsigned int)atoi(arg[1] + 4);
 			arg++;
 		} else if (!strcmp(*arg, "-days") && arg[1]) {
 			days = (unsigned int)atoi(arg[1]);
 			arg++;
+		} else if (!strcmp(*arg, "-pkeyopt") && arg[1]) {
+			if (strncmp(arg[1], "ec_paramgen_curve:", 18)) {
+				fprintf(stderr, "error: invalid pkey option: %s\n", arg[1]);
+				return 1;
+			}
+			curve = ecp_curve((const char *)(arg[1] + 18));
+			if (curve == MBEDTLS_ECP_DP_NONE) {
+				fprintf(stderr, "error: invalid curve name: %s\n", arg[1] + 18);
+				return 1;
+			}
+			arg++;
 		} else if (!strcmp(*arg, "-keyout") && arg[1]) {
 			keypath = arg[1];
 			arg++;
@@ -196,8 +247,7 @@ int selfsigned(char **arg)
 		}
 		arg++;
 	}
-
-	gen_key(&key, ksize, exp, pem);
+	gen_key(&key, rsa, ksize, exp, curve, pem);
 
 	if (keypath)
 		write_key(&key, keypath, pem);
@@ -223,7 +273,7 @@ int selfsigned(char **arg)
 	mbedtls_x509write_crt_set_subject_key_identifier(&cert);
 	mbedtls_x509write_crt_set_authority_key_identifier(&cert);
 
-	_urandom(NULL, buf, 8);
+	_urandom(NULL, (void *) buf, 8);
 	for (len = 0; len < 8; len++)
 		sprintf(sstr + len*2, "%02x", (unsigned char) buf[len]);
 
@@ -260,8 +310,10 @@ int main(int argc, char *argv[])
 
 	if (!argv[1]) {
 		//Usage
+	} else if (!strcmp(argv[1], "eckey")) {
+		return dokey(false, argv+2);
 	} else if (!strcmp(argv[1], "rsakey")) {
-		return rsakey(argv+2);
+		return dokey(true, argv+2);
 	} else if (!strcmp(argv[1], "selfsigned")) {
 		return selfsigned(argv+2);
 	}
@@ -269,6 +321,6 @@ int main(int argc, char *argv[])
 	fprintf(stderr,
 		"PX5G X.509 Certificate Generator Utility v" PX5G_VERSION "\n" PX5G_COPY
 		"\nbased on PolarSSL by Christophe Devine and Paul Bakker\n\n");
-	fprintf(stderr, "Usage: %s [rsakey|selfsigned]\n", *argv);
+	fprintf(stderr, "Usage: %s [eckey|rsakey|selfsigned]\n", *argv);
 	return 1;
 }