ECC certificates? - Githubissues

ndilieto / uacme

ACMEv2 client written in plain C with minimal dependencies

GNU General Public License v3.0

423 stars 36 forks source link

ECC certificates? #1

Closed MrSorcus closed 5 years ago

MrSorcus commented 5 years ago

Do you have any plans for supporting ECC certificates?

ndilieto commented 5 years ago

Added support for ECC keys and certificates in the following commit:

https://github.com/ndilieto/uacme/commit/795dfecf368d5b28ae672fcaa29012fb4efe99de

Please note, currently Let’s Encrypt only signs end-entity certificates with RSA intermediates. They are planning (ETA: Q3 2019) to generate an ECDSA root and intermediates:

https://letsencrypt.org/upcoming-features

MrSorcus commented 5 years ago

Cool, works very good. A little question, why secp384r1 is not supported? Hard to implement? Anyway, thank you so much.

ndilieto commented 5 years ago

A little question, why secp384r1 is not supported? Hard to implement?

It's not hard to add more curves but as per standard the only mandatory algorithm is ES256 which is based on NID_X9_62_prime256v1 and I'd rather not add features that might not be supported.

From https://tools.ietf.org/html/rfc8555#section-6.2

An ACME server MUST implement the "ES256" signature algorithm [RFC7518] and SHOULD implement the "EdDSA" signature algorithm using the "Ed25519" variant (indicated by "crv") [RFC8037]

MrSorcus commented 5 years ago

Hmm... I issued ECC certificate, but i can't issue second RSA certificate. Logs

archlinux% uacme -s -t RSA -h ./main issue "example.com" "*.example.com" --verbose
uacme: version 1.0.8.2-795d-dirty starting on Thu, 09 May 2019 12:33:46 +0000
uacme: loading key from /etc/ssl/uacme/private/key.pem
uacme: loading key from /etc/ssl/uacme/private/example.com/key.pem
uacme: checking existence and expiration of /etc/ssl/uacme/example.com/cert.pem
uacme: /etc/ssl/uacme/example.com/cert.pem expires in 89 days
uacme: skipping /etc/ssl/uacme/example/cert.pem

ndilieto commented 5 years ago

Hmm... I issued ECC certificate, but i can't issue second RSA certificate.

Note that the -t flag only applies to newly generated keys. Once keys exist, the -t flag has no effect, as specified in the manual for version 1.0.9. If you want a new cert with RSA keys for the same domain you'll need to use a different configuration directory (use -c /etc/ssl/uacme-rsa for example). If you want to use the same account for the new cert, you can copy /etc/ssl/uacme/private/key.pem to /etc/ssl/uacme-rsa/private/key.pem before issuing. Otherwise you can generate a new account.

ndilieto commented 5 years ago

Cool, works very good. A little question, why secp384r1 is not supported? Hard to implement? Anyway, thank you so much.

I've asked Let's Encrypt and they currently support only prime256v1 and secp384r1. They have no plans to add any more for the foreseeable future. Therefore I've just added support for secp384r1 in commit dd87e89f. You can select it by adding -t EC -b 384 to your command line. Let me know if it works for you...

MrSorcus commented 5 years ago

Let me know if it works for you...

Works fine. Thanks a lot.