I'm running "/usr/local/bin/certbot --apache -v renew" via the Launchcontrol app on Mac.
My domain is: robert-chalmers.uk
simple question, do I need to update the RSA cert to an ECDSA cert?
Or does it do it automatically now?
Or do I do it with certbot certonly and then it's ok.
It won't do it automatically.
New certificates are ecdsa (on certbot 2.0+), existing ones keep their algorithms.
If you want an ecdsa certificate to replace an existing one, you have to ask for it explicitly. But... you don't need to.
In short: No; You are not required to change anything - nor will any such change happen automatically.
That being said... [Enter the long story]:
Apache does support using multiple certs [of different types].
So, you could actually use both [an RSA & an ECDSA cert] for your domain [in the same vhost].
You could also review the differences [pros and cons] of each type and make your own educated decision about which type/strength/ciphers you want to use.
For clarity, a command similar to this one will cause certbot to ask "An RSA certificate already exists. Do you want to update its key type to ECDSA?"
certbot certonly -d example.com --apache
I did notice, however, the signature algorithm is stuck on SHA-256 with RSA Encryption.
That's not something Certbot can controle, but is managed by the CA.
See our recent announcement about this changing on June 6th, 2024.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.