Does Lets Encrypt support EC ACME account keys?


#1

Please, do tell.
I (almost) hate 4K RSA private keys.


How to create new account with ECDSA key
#2

It’s pretty much only Certbot that doesn’t support them, many other ACME clients do, out of the box.


#3

Here’s a quick log of creating an ACME account with the Let’s Encrypt V2 API in the staging environment with a randomly generated EC P-256 account key:

2018/12/18 15:58:09 AutoRegister is disabled
2018/12/18 15:58:09 Sending GET request to URL "https://acme-staging-v02.api.letsencrypt.org/directory"
2018/12/18 15:58:09 Updated directory
2018/12/18 15:58:09 Sending HEAD request to URL "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce"
2018/12/18 15:58:09 Updated nonce to "UMHIFWl878XeVQCIfOl4BJT6CTmfJ6kni-3QhUOLiIk"
2018/12/18 15:58:24 Signing:
{"termsOfServiceAgreed":true}
2018/12/18 15:58:24 Sending HEAD request to URL "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce"
2018/12/18 15:58:24 Updated nonce to "uo3Jkd5m1d1REoVwrQWuhh2L_IU8sIqKJ_qn2G2CbPU"
2018/12/18 15:58:24 JWS:
{"payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZX0","protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlF2eFBxaFVaTm9scmpRTC1pS1QxY1Z6WjZuRmdiblhMd0E1bVBFSDlxNGciLCJ5IjoiWTVkeHB4Z3dEQjhlaHpHSWFMZW9xcTZ5NnB4Z0JtM0JZdVVOX0tnb0lZSSJ9LCJub25jZSI6IlVNSElGV2w4NzhYZVZRQ0lmT2w0QkpUNkNUbWZKNmtuaS0zUWhVT0xpSWsiLCJ1cmwiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0","signature":"VLN9ebrjE5trvuBZUBny6_kakE_Sn9W3jrE9V6lyF56hdS6FqzhraqYcWffe5ZLtJwIQEb8VfPeoldLu6t5xVg"}
2018/12/18 15:58:24 Sending "newAccount" request (contact: []) to "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
2018/12/18 15:58:25 Request:
POST /acme/new-acct HTTP/1.1
Host: acme-staging-v02.api.letsencrypt.org
Accept-Language: en-us
Content-Type: application/jose+json
User-Agent: cpu.acmeshell 0.0.1 (linux; amd64)

{"payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZX0","protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlF2eFBxaFVaTm9scmpRTC1pS1QxY1Z6WjZuRmdiblhMd0E1bVBFSDlxNGciLCJ5IjoiWTVkeHB4Z3dEQjhlaHpHSWFMZW9xcTZ5NnB4Z0JtM0JZdVVOX0tnb0lZSSJ9LCJub25jZSI6IlVNSElGV2w4NzhYZVZRQ0lmT2w0QkpUNkNUbWZKNmtuaS0zUWhVT0xpSWsiLCJ1cmwiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0","signature":"VLN9ebrjE5trvuBZUBny6_kakE_Sn9W3jrE9V6lyF56hdS6FqzhraqYcWffe5ZLtJwIQEb8VfPeoldLu6t5xVg"}
2018/12/18 15:58:25 Response:
HTTP/1.1 201 Created
Content-Length: 302
Boulder-Requester: 7617992
Cache-Control: max-age=0, no-cache, no-store
Connection: keep-alive
Content-Type: application/json
Date: Tue, 18 Dec 2018 20:58:25 GMT
Expires: Tue, 18 Dec 2018 20:58:25 GMT
Link: <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/7617992
Pragma: no-cache
Replay-Nonce: PjN5fr5Ncu4YiiFoT3gRAUV9a5S-ns7x_2gn8v-vn44
Server: nginx
Strict-Transport-Security: max-age=604800
X-Frame-Options: DENY

{
  "id": 7617992,
  "key": {
    "kty": "EC",
    "crv": "P-256",
    "x": "QvxPqhUZNolrjQL-iKT1cVzZ6nFgbnXLwA5mPEH9q4g",
    "y": "Y5dxpxgwDB8ehzGIaLeoqq6y6pxgBm3BYuUN_KgoIYI"
  },
  "contact": [],
  "initialIp": "",
  "createdAt": "2018-12-18T20:58:25.068662175Z",
  "status": "valid"
}
2018/12/18 15:58:25 Created account with ID "https://acme-staging-v02.api.letsencrypt.org/acme/acct/7617992"
Created private key for ID "https://acme-staging-v02.api.letsencrypt.org/acme/acct/7617992"
Created account with ID "https://acme-staging-v02.api.letsencrypt.org/acme/acct/7617992" Contacts []
Active account is now "https://acme-staging-v02.api.letsencrypt.org/acme/acct/7617992"

Hopefully that’s convincing :laughing:


#4

EC P-256 account keys are actually the default in Posh-ACME. P-384 is also in there as an option. And the code is ready to support P-521 if it gets enabled on the LE side (which I’m currently under the impression it’s not).


#5

I had no real doubt, I just never knew how; or was limited by what certbot could do and just never really looked at that again…

Until now!
Which brings me to the obvious question:
When will certbot(-auto) support EC accounts?


#6