certbot will take care of the entire CSR process for you - there is no need to concern yourself with that.
2 Likes
You can probably put it anywhere.
As for sha384 it probably has nothing to do with your key, and everything to do with the signature/certificate. I understand you want sha384WithRSAEncryption as a signature algorithm instead of sha256WithRSAEncryption.
I don't even know if Let's Encrypt supports this.
Certbot will generate what it needs by itself.
2 Likes
I think it can support up to 512
But that is only relevant to "secure" the CSR process.
1 Like
ok. what about SAN wildcard. can i do like this -d dsrlearn.com -d *.dsrlearn.com
quote the asterisk if your shell complains.
1 Like
You need to read on the wildcard requirements.
Like: You can't use HTTP-01 authentication.
1 Like
no problem with that but is there a way to request sha384?
Please explain exactly what you are requesting.
2 Likes
i want sha384WithRSAEncryption cert for that sha384 hash should be used. is there a way to generate cert with sha384?
Why are you doubting that the SHA384 hash isn't used already?Hm, nevermind, it's with ECDSA keys the key size defines the used SHA.. Not with RSA.
2 Likes
But why RSA key has sha? sha384WithRSAEncryption. Is it needed? Will I get sha256withRsaEncryption? I think that's default.
SHA is a signature algorithm, RSA is an asymmetric public/private key algorithm. Two different things. For a certificate signature, the relevant portion of the certificate is first hashed using SHA and of that hash a RSA signature is made.
For RSA certificates, Let's Encrypt uses SHA-256 algorithm. For ECDSA certificates, it depends on the key curve: P-256 requires a SHA-256 hash and P-384 requires a SHA-384 hash (Baseline requirements demand that).
4 Likes
Then I would like to create a ecdsa p-256 can you provide which command to use
Because of the SHA hash used? I don't get it..
Please read the Certbot documentation first before asking help.
3 Likes
I read certbot doc. But it just have instructions explained.
I'm sorry, but I don't understand.
2 Likes
Let's encrypt signs with sha256 even for ecdsa. Hash algorithm is used to sign RSA or ecdsa certs. I just want to know is there any way to get let's encrypt cert signed with sha384
Yes, when signing a certificate with a ECDSA key with the P-256 curve, because that's mandatory.
For ECDSA keys with the P-384 curve, it's mandatory to use SHA-384.
4 Likes
is there a no way to generate a cert with --csr and key so that both are not mismatch.
There is no way to generate a cert with a --csr and key that don't match.
There is no need to self-generate a --csr with any ACME client.
There is no explanation for requesting a --csr, with any specific type of "encryption", when that request won't change the outcome [the encryption strength of the certificate will remain the same].
1 Like