2048 Key Length using Crypt-LE

bradpcmac · September 19, 2022, 7:03pm

Tool: Crypt-LE (Releases · do-know/Crypt-LE · GitHub) @leader

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server 2012 R2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Crypt-LE v 0.38 (Releases · do-know/Crypt-LE · GitHub)

Does anyone know if it's possible to generate certs with 2048 key length with this tool instead of 4096, which seems to be the default?

Thanks!

Brad

mcpherrinm · September 19, 2022, 7:11pm

I'm not familiar with this client. However I took a quick read through the code, and it looks like the legacy command line flag will generate 2048 bit RSA keys, as well as another change around where it saves the CA files.

github.com

do-know/Crypt-LE/blob/master/script/le.pl#L120


      
              }
          } else {
              $opt->{'logger'}->info("Generating a new CSR for domains $opt->{'domains'}");
              if (-e $opt->{'csr-key'}) {
                   # Allow using pre-existing key when generating CSR
                   return $opt->{'error'}->("Could not load existing CSR key from $opt->{'csr-key'} - " . $le->error_details, 'CSR_KEY_LOAD') if $le->load_csr_key($opt->{'csr-key'});
                   $opt->{'logger'}->info("New CSR will be based on '$opt->{'csr-key'}' key");
              } else {
                   $opt->{'logger'}->info("New CSR will be based on a generated key");
              }
              my ($type, $attr) = $opt->{'curve'} ? (KEY_ECC, $opt->{'curve'}) : (KEY_RSA, $opt->{'legacy'} ? 2048 : 4096);
              $le->generate_csr($opt->{'domains'}, $type, $attr) == OK or return $opt->{'error'}->("Could not generate a CSR: " . $le->error_details, 'CSR_GENERATE');
              $opt->{'logger'}->info("Saving a new CSR into $opt->{'csr'}");
              return "Failed to save a CSR" if _write($opt->{'csr'}, $le->csr);
              unless (-e $opt->{'csr-key'}) {
                  $opt->{'logger'}->info("Saving a new CSR key into $opt->{'csr-key'}");
                  return $opt->{'error'}->("Failed to save a CSR key", 'CSR_SAVE') if _write($opt->{'csr-key'}, $le->csr_key);
              }
              return $opt->{'error'}->("For multi-webroot path usage, the amount of paths given should match the amount of domain names listed.", 'WEBROOT_MISMATCH') if _path_mismatch($le, $opt);
          }

github.com

do-know/Crypt-LE/blob/master/script/le.pl#L864


      
          -update-contacts <emails>    : Update contact details.
          -export-pfx <password>       : Export PFX (Windows binaries only).
          -tag-pfx <tag>               : Tag PFX with a specific name.
          -alternative <num>           : Save an alternative ceritifcate (if available).
          -config <file>               : Configuration file for the client.
          -log-config <file>           : Configuration file for logging.
          -generate-missing            : Generate missing files (key, csr and csr-key).
          -generate-only               : Exit after generating the missing files.
          -unlink                      : Remove challenge files automatically.
          -revoke                      : Revoke a certificate.
          -legacy                      : Legacy mode (shorter keys, separate CA file).
          -delayed                     : Exit after requesting the challenge.
          -live                        : Use the live server instead of the test one.
          -debug                       : Print out debug messages.
          -quiet                       : Suppress all messages but errors.
          -help                        : Detailed help.
          
          
EOF
              exit(1);
          }

Alternatively, you can generate your own key file and use the -csr-key flag:

github.com

do-know/Crypt-LE/blob/master/script/le.pl#L837


      
                  
          EOF
              }
              print <<'EOF';
           =====================
           AVAILABLE PARAMETERS:
           =====================
          
          
-key <file>                  : Account key file.
          -csr <file>                  : CSR file.
          -csr-key <file>              : Key for CSR (optional if CSR exists).
          -crt <file>                  : Name for the domain certificate file.
          -domains <list>              : Domains list (optional if CSR exists).
          -renew <XX>                  : Renew if XX or fewer days are left.
          -renew-check <URL>           : Check expiration against a specific URL.
          -curve <name|default>        : ECC curve name (optional).
          -path <absolute path>        : Path to .well-known/acme-challenge/ (optional).
          -handle-with <module>        : Module to handle challenges with (optional).
          -handle-as <http|dns|tls>    : Type of challenge, by default 'http' (optional).
          -handle-params <json|file>   : JSON for the challenge module (optional).
          -complete-with <module>      : Module to handle completion with (optional).

This is assuming you're using the le.pl script; if you're using it as a library in another perl project, you will have to read the API docs to understand how to change it.

leader · September 19, 2022, 7:24pm

That was extremely quick and absolutely correct. Also Windows executables use the same options, so this should work if you use those rather than the script too. Let me know in PM if it does or doesn't, @bradpcmac

bradpcmac · September 19, 2022, 7:28pm

Thanks @mcpherrinm & @leader

I searched the help file first, I promise I should have read it more carefully. I think I searched for "2048" or "4096". This is extremely helpful for our testing, and we can move forward now.

9peppe · September 19, 2022, 8:37pm

3072 bit RSA is an option, if you think 2048 isn't enough.

4096 has an heavy performance penalty. But we shouldn't be using RSA anyway.

system · October 20, 2022, 5:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Generate a 2048 bit CSR and Certificates with ZeroSSL Help	15	8771	June 8, 2017
How can I generate a certificate with a 2048 bit private key? Help	12	8083	April 13, 2018
Auto renewing via cron job only issuing 2048 key size Help	11	10227	November 19, 2017
Issues when paste account key Help	5	614	September 16, 2019
Bug: Alpine certbot package (docker) generates Private-Key: (256 bit) Help	14	50	October 9, 2024

2048 Key Length using Crypt-LE

Related topics