ECDSA testing on staging

Fsantiago1979 · February 13, 2016, 6:02pm

How do I properly generate an ec csr for LE? Please excuse the newb question.

I though I had it using the prime256v1 curve but when I try to generate a cert against staging I receive an invalid signature algorithm error.

Osiris · February 13, 2016, 6:44pm

Did you use the SHA256 hash? Some OpenSSL configs default to SHA1.

Fsantiago1979 · February 13, 2016, 8:35pm

That was it. thank you.

Fsantiago1979 · February 14, 2016, 11:56am

This is still staging only correct or can I do this on production? If not, what’s the eta? I’m just curious. I’m in no rush whatsoever.

sahsanu · February 14, 2016, 12:29pm

Hello @Fsantiago1979,

Since 10 Feb is in production too:

Cheers,
sahsanu

pouar · February 28, 2016, 3:09am

Still no secp521r1 support. I’m still waiting on this so I don’t have to self-sign my certificates anymore

My1 · February 28, 2016, 8:54am

me too.
I mean p521 is the equivalent of essentially 256bit symmetric and essetially 15k+ RSA, giving it a lot more strength against Moore’s law than p256 or p384

Osiris · February 28, 2016, 9:50am

Chicken vs. egg story I think…

As far as I know, lack of browser support was the reason for not supporting secp521r1. But browsers won’t have a reason for supporting it, if CA’s won’t issue them anyway.

ecdsa-chacha20 · February 28, 2016, 12:10pm

Shouldn’t we just wait for the new curves 25519 and 448 instead of hoping for support for older NIST curves?

My1 · February 28, 2016, 12:33pm

@ecdsa-chacha20 why not both?

Nemis · July 14, 2016, 12:09pm

cerbot-auto can generate a SSL with ECDSA now?

rugk · July 14, 2016, 4:24pm

AFAIK that's not quite right. Chrome uses BoringSSL for TLS. Only the certificate validation is handled by the OS.

pfg · July 14, 2016, 4:54pm

If I remember correctly, you can use ECDSA keys using the --csr flag, but not in any mode where certbot generates the certificate for you.

My1 · July 15, 2016, 6:32am

well but then it is an intresting question on why chrome doesnt do TLS1.2 on XP like firefox does
https://productforums.google.com/forum/#!topic/chrome/iZsc8ZG5hWk
I know that chrome now isnt supported but back at the time of this post it was still supported because in the announcement linked in the post it said that chrome wont do XP and longer starting from april 2016.
it’s also sad that they dont do EC certs (but which seems legit when the OS does the cert handling.
in my opinion it would have been better if they just did their stuff completely like forefox does.

dont get me wrong I think that right now XP isnt really a machine which should be connected to the internet because it has been dropped for over 2 years and a lot of their security is pretty bad by today’s standards.

But there are people who have no choice of using XP, especially in poorer countries.
and then the only major browser that can help them to do at least a bit of TLS security is Firefox.

Topic		Replies	Views
Elliptic Curve Cryptography (ECC) Support Feature Requests	200	62771	June 19, 2016
Feedback requested: what's standing between you and ECDSA? Site Feedback	23	687	October 27, 2024
"EC XXX bits (SHAXXXwithRSA)" versus "EC XXX bits (SHAXXXwithECDSA)"? What's the difference? Does it matter? Issuance Tech	25	5873	September 4, 2022
Should we be defaulting to ECC keys now? Client dev	28	1676	August 21, 2024
ECDSA certificate issuance failure in both staging and production Help	14	3180	August 29, 2016

ECDSA testing on staging

Related topics