ECDSA testing on staging

To make it short they do not like it.

Staging is updated with the latest configs and is issuing with the correct keyUsages.


Yes indeed, confirmed for ECDSA public key:

    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature
        X509v3 Extended Key Usage: 

But with a RSA public key:

    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage: 

And confirmed proper behaviour in Chrome :slightly_smiling:

Yay :grinning: On to the release branch! :stuck_out_tongue: (And must-staple is almost ready too! :clap:)

1 Like

why is key encipherment just for RSA but not ECDSA?
(edit when my fingers are faster than my brain)

[quote=“My1, post:59, topic:8809”]
for RSA but not RSA?
[/quote] You meant ECDSA, presumably.

keyEncipherment means something that is only possible with RSA certificates, it doesn’t exist for ECDSA or DSA certificates. (And incidentally, said RSA key exchange is non-PFS anyway and for that reason (EC)DHE is preferred, just using the RSA key for signing the exchange.)

1 Like

Nice! I also just used an P-256 ECDSA CSR with the Staging Server and got a certificate containing only the Digital Signature (0x80) flag for Key Usage.

Can’t wait until this goes into production, so I can finally use AES_GCM (AEAD) instead of obsolete AES_CBC ciphers for Windows Server 2012R2 with IIS and for the Win7/8 clients using IE connecting to it (because SChannel on Windows before Win10/Server2016 supports TLS_ECDHE_ECDSA_WITH_AES_GCM, but not TLS_ECDHE_RSA_WITH_AES_GCM…)

1 Like

How do I properly generate an ec csr for LE? Please excuse the newb question.

I though I had it using the prime256v1 curve but when I try to generate a cert against staging I receive an invalid signature algorithm error.

Did you use the SHA256 hash? Some OpenSSL configs default to SHA1.

That was it. thank you.

This is still staging only correct or can I do this on production? If not, what’s the eta? I’m just curious. I’m in no rush whatsoever.

Hello @Fsantiago1979,

Since 10 Feb is in production too:


1 Like

Still no secp521r1 support. I’m still waiting on this so I don’t have to self-sign my certificates anymore


me too.
I mean p521 is the equivalent of essentially 256bit symmetric and essetially 15k+ RSA, giving it a lot more strength against Moore’s law than p256 or p384

1 Like

Chicken vs. egg story I think…

As far as I know, lack of browser support was the reason for not supporting secp521r1. But browsers won’t have a reason for supporting it, if CA’s won’t issue them anyway.


Shouldn’t we just wait for the new curves 25519 and 448 instead of hoping for support for older NIST curves?

@ecdsa-chacha20 why not both?


cerbot-auto can generate a SSL with ECDSA now?

AFAIK that’s not quite right. Chrome uses BoringSSL for TLS. Only the certificate validation is handled by the OS.

If I remember correctly, you can use ECDSA keys using the --csr flag, but not in any mode where certbot generates the certificate for you.

1 Like

well but then it is an intresting question on why chrome doesnt do TLS1.2 on XP like firefox does!topic/chrome/iZsc8ZG5hWk
I know that chrome now isnt supported but back at the time of this post it was still supported because in the announcement linked in the post it said that chrome wont do XP and longer starting from april 2016.
it’s also sad that they dont do EC certs (but which seems legit when the OS does the cert handling.
in my opinion it would have been better if they just did their stuff completely like forefox does.

dont get me wrong I think that right now XP isnt really a machine which should be connected to the internet because it has been dropped for over 2 years and a lot of their security is pretty bad by today’s standards.

But there are people who have no choice of using XP, especially in poorer countries.
and then the only major browser that can help them to do at least a bit of TLS security is Firefox.