ECC Intermediate


#1

It was mentioned in a blog post that LE were going to get new intermediate certs which were ECC to allow having an ECC+ECC cert chain instead of the current RSA+ECC chain. This was planned to be completed by August. As it’s now September I’m wondering if we can get an update of where this is at?

Also out of curiosity, I don’t use the certbot and use an acme client with a CSR file which means I manually download the intermediate and root certificates for the chain. Am I right in thinking that when you do get an ECC intermediate that you will automatically start signing ECC certs with it and therefore it will break my current chain until I manually download the new ECC intermediate cert again and overwrite the RSA one? Or will there be some method to select if you want RSA or ECC via acme?


#2

The ETA has been updated to “Before March 31, 2017” a while back. There’s (now) an upcoming features page on the website where ETAs are published.

The intermediate certificate (or rather a link to it) is included as part of the ACME protocol (via a Link header with relation “up”) and compliant clients should use that URL to download and store the intermediate certificate. There’s no guarantee that the intermediate certificate isn’t going to change at any point, so hard-coding the certificate or an URL will cause problems down the line (this has happened a couple of months back when the issuer certificate was changed to fix a Windows XP compatibility issue).

I would guess the selection would be based on the CSR type, but I don’t think this has been confirmed yet.


#3

Perfect. Thanks. My acme client is very very basic. I’m using the python acme-tiny script so I manually download the intermediate. It’s only my personal home website so it’s not a huge deal if it breaks temporarily during renewal. Just I was curious how it’s actually likely to work so that I can be aware around the renewal time. OK, I’ll wait until March then it seems!


#4

You might be interested in this fork which adds intermediate certificate retrieval.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.