Full ECC support


#1

Hi.

I use LetsEncrypt on my Ubuntu 16.04 Server with Apache 2.4 and OpenSSL 1.0.2h. But I would like to use Elliptic Curve certificates.

I know that LE supports ECC, but as far as I know there is no “official” way how to work with ECC. Because using the standard client, I am not able to request, install or renew ECC, right? I need to create CSR, request new certificate, install it and when I need to renew it, I have to do it again manually.

So is there any way how to make it more simple? How to request the certificate easily and when it’s time for renewal, just renew it automatically by replacing the old certificates? Something like with RSA keys - letsencrypt certonly -d domain.com -d www.domain.com --rsa-key-size 4096 and when renewing letsencrypt renew.

Or how do you work with elliptic certificates?


#2

It’s in the making. But some stuff has to be sorted out first. My own fork can happily generate ECC public/private key pairs and request such a certificate, but this has limited filesystem support to coincide together with RSA certificates (i.e.: none, it just generates a buch of new files as it was just a new certificate/key pair without a RSA certificate along side it.). So until that’s sorted out (making sure ECC and RSA certificates can co-exist in a good, clear manner), there isn’t much you can do but wait.


#3

Thanks for this information. Is there any time information when this feature will be available? I don’t need any specific date, just for example Q4/2016 or something like this.


#4

I use https://github.com/Neilpang/acme.sh for that


#5

same using acme.sh works well for ECC certs - i use acme.sh as a wrapper to my acmetool.sh addon for auto nginx + letsencrypt ssl generation https://community.centminmod.com/posts/34608/ :slight_smile:


#6

Great :slight_smile: Works good, I hope that renewing the certificates will be ok as well :slight_smile:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.