I'm having some difficulty with ECDSA certificates today. I'm using the acme-tiny script to issue an ECDSA and an RSA certificate with 11 additional SANs. Testing against the staging server saw the ECDSA certificate rejected but the RSA certificate issued. I found an old thread which said there was a configuration problem on the staging server and that staging was failing to issue certificates with ECSDA keys but production was OK, so I hoped for the best and tried again with production. Same problem.
Furthermore, I can't see anything in the logs on https://crt.sh/ for either of these two subject names:
The error I'm getting on the console when using the script is:
Is anyone else able to get a certificate signed using ECDSA at the moment, or is it just me? I'm unsure whether to bug LE or acme-tiny at the moment, but I'm guessing it must be LE as it's working for RSA keys. The ECSDA and RSA CSRs are identical apart from the private key used to create them (i.e. same openssl.cnf).
Hmm, the CSR seems to indicate that you’re using the secp256k1 curve, which I believe is not supported (NIST P-256 would work).
I’m pretty sure, however, that you’d get a more specific error message if that was the problem. There might be more than one problem. Either way, this is probably worth checking just in case.
Comparing your CSR with a known-good CSR shows a couple of other differences, though there’s nothing that looks like it should be causing this (especially given that it seems to work with a RSA CSR created based on the same config). If changing the curve doesn’t fix the issue and you’re willing to dig into this, try removing/changing them one by one to see what’s causing the error:
The Version field seems to be set to zero, the known-good CSR has this set to 2. (I think this might be related to the openssl version).
The known-good CSR does not set any Subject field other than CN. This should be fine and the CA server should just ignore those fields.
The value of your CN field contains a domain that’s not included as a Subject Alternative Name. I’m not sure if the CA server will “fix” this.
The known-good CSR does not include a Basic Constraints and Key Usage extension. Again, I don’t see why this should be causing any issues, but I’ll include it anyway for completeness sake.
To confirm, switching from the secp256k1 curve to the prime256v1 curve makes things work flawlessly - thanks very much! I wasn’t aware that only certain curves were supported. Seems strange that prime256v1 and secp384r1 are supported and secp256k1 isn’t - is there a rationale behind that?
well I havent found yet a nice list of all the different names used by the implementation
well I think that more work. I mean prome256v1 works, secp384r1, following the logic then secp256r1 should technically work as well so we would have p256, p384 and prime256…
also why not do p521, it’s longer and therefore potentially longer secure than p384
Firefox is in the process of removing it and replacing it with x25519, Opera would presumably do whatever Chrome (Which also replaced it with x25519) does since they share a common core.
As for Safari, who on earth knows what Apple is doing.
Edit: And Edge doesn’t support it at all, but they’re looking at other curves instead of x25519 I think.