Certificate Requested as ECDSA-256 but receiving 384

I am requesting a certificate using cert-manager with a requested key algorithm of ECDSA and size of 256.

For those familiar:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: meves-test
spec:
  commonName: ""
  dnsNames:
  - 'meves-test.testing.k8.atcloud.io'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  privateKey:
    rotationPolicy: Always
    algorithm: ECDSA
    size: 256
  secretName: meves-test

I can see in the resultant CSR that is created and used these requested properties are seemingly set correctly as the CSR includes: Signature Algorithm: ecdsa-with-SHA256

However the resultant certificate that's issued has Signature Algorithm: ecdsa-with-SHA384

The signatures are separate to the size of the cert.
The cert itself is 256 bits:

            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:65:04:18:75:ab:f2:7c:17:28:c7:f8:0a:2a:7c:
                    7c:1b:a1:76:e1:46:5c:48:4b:c8:f1:d2:3f:fa:03:
                    1e:30:d7:a7:67:53:f8:71:a5:0b:a8:23:80:1e:b8:
                    5c:76:0e:aa:d6:52:5e:99:64:3a:2f:47:32:c2:ef:
                    fb:46:4e:49:60

Your key is P-256. Let's Encrypt has signed it with a P-384 intermediate. You control what key you're using, and Let's Encrypt controls what key they're using.

Other than it being a little confusing, is it causing any actual problems for you?

Thanks both, complete misunderstanding on my part. What you've said makes complete sense.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.