diff --git a/CHANGES b/CHANGES
index 50602f74d8..ace5d58b93 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+6222.	[func]		Fixes to provider/engine based ECDSA key handling. [GL !8152]
+
 6221.	[cleanup]	Refactor dns_rdataset internals, move rdatasetheader
 			declarations out of rbtdb.c so they can be used by other
 			databases in the future, and split the zone and cache
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 04bd67deac..f87b36dbe2 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -119,15 +119,15 @@ BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
 	return (size);
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 
 static const char *
 opensslecdsa_key_alg_to_group_name(unsigned int key_alg) {
 	switch (key_alg) {
 	case DST_ALG_ECDSA256:
-		return ("P-256");
+		return ("prime256v1");
 	case DST_ALG_ECDSA384:
-		return ("P-384");
+		return ("secp384r1");
 	default:
 		UNREACHABLE();
 	}
@@ -846,16 +846,14 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
 
 	keylen = opensslecdsa_key_alg_to_publickey_size(key->key_alg) / 2;
 	INSIST(keylen <= sizeof(buf));
-	if (!opensslecdsa_extract_private_key(key, buf, keylen)) {
-		DST_RET(DST_R_OPENSSLFAILURE);
-	}
 
 	i = 0;
-	priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
-	priv.elements[i].length = keylen;
-	priv.elements[i].data = buf;
-	i++;
-
+	if (opensslecdsa_extract_private_key(key, buf, keylen)) {
+		priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+		priv.elements[i].length = keylen;
+		priv.elements[i].data = buf;
+		i++;
+	}
 	if (key->engine != NULL) {
 		priv.elements[i].tag = TAG_ECDSA_ENGINE;
 		priv.elements[i].length = (unsigned short)strlen(key->engine) +
@@ -929,10 +927,6 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 
-	if (privkey_index < 0) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-
 	if (label != NULL) {
 		ret = opensslecdsa_fromlabel(key, engine, label, NULL);
 		if (ret != ISC_R_SUCCESS) {
@@ -947,6 +941,10 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(ISC_R_SUCCESS);
 	}
 
+	if (privkey_index < 0) {
+		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+	}
+
 	ret = opensslecdsa_create_pkey(
 		key->key_alg, true, priv.elements[privkey_index].data,
 		priv.elements[privkey_index].length, &pkey);