Is your server serving up the certificate you think it should be serving?
1 Like
The "Signature Algorithm" describes what kind of signature was used by Let's Encrypt's intermediate certificate to sign your leaf certificate. By default, unless you've specifically opted-in to get signed by an ECDSA intermediate, your certificates will be signed with the RSA intermediate. That's the "sha256WithRSAEncryption" you see. That's the same whether your key, used by your certificate to secure a connection, is an RSA or ECDSA key.
You'll want to look at the "key size" and "public key algorithm" and the like to see which kind of public key your certificate uses itself.
5 Likes
In short:
The key is likely ECDSA
The keychain is RSA
3 Likes
well
I set in cPanel ssl to ecdsa type and i see (sectigo)
X9.62 ECDSA Signature with SHA-256 as Signature Algorithm
same confirmed by ssl checkers
in a certbot case with default settings I do not see it anywhere, only in possible cipher list.
You can check any server protected by certbot certificate, I do not see any difference in ssl checker with RSA or ECDSA
update
with zerossl i see X9.62 ECDSA Signature with SHA-256 as Signature Algorithm
Could you please provide specific hostnames?
I agree with my fellow volunteers that what you've written in your opening post (the first post of the thread) that a ECDSA cert was signed by R3, an RSA intermediate.
Also note that the certs known to Certbot aren't necessarily also the certs that are installed in the webserver.
5 Likes
I think that you're just conflating concepts here, though I can see how they can be confusing.
You can choose to have an RSA or ECDSA key in your certificate. (And most systems work fine with either, though a couple oddballs don't support ECDSA.)
The CA can similarly choose to have an RSA or ECDSA key in its intermediate certificate that it uses to sign yours. (And most systems similarly work fine with either.) They can use an RSA key to sign an ECDSA-keyed certificate, or vice-versa even.
The "Signature Algorithm" that you see just tells you the latter. Which may be interesting to know, but doesn't really matter unless you're trying to diagnose an issue with some oddball system that doesn't support the signature algorithm.
Let's Encrypt uses RSA signatures for almost everything, unless you've specifically opted-in to get the ECDSA signature of your ECDSA-keyed certificates.
Other CAs do other things. Having ECDSA-keyed certificates signed by ECDSA intermediates is very common, and Let's Encrypt will (hopefully) be switching to do so more often (rather than being on an opt-in basis only) at some point "soon". I'm not surprised that the other CAs that you're testing are doing so.
Is there some actual problem you're trying to resolve, or are you just "nosy" (which is a good thing; I certainly am with this stuff) and curious why you see different things in different places?
5 Likes
@amg-web If you use the SSL Checker below what does it say for "Key Type"?
Below is sample of an ECDSA leaf cert
3 Likes
I see. You think I make noise
is ecdsa in letsencrypt for in this case?
Even if I set ECDSA explicitly, I do not see it in ssl checks.
But when I used zerossl I see changes immediately.
on same server, all configs same, even cipher list without changes.
well, i see type ecdsa
but another question in this case:
what is the profit to sign ecdsa by rsa?
1 Like
That's a broad question but more details of Let's Encrypt Intermediates is here:
3 Likes
Yes, I do.
All you do is mention SSL checker and ZeroSSL but you don't show us any real information nor domain.
Cipher lists have very little to do with certificate types [only indirectly].
Any type can sign any [other] type.
Think of them as literal keys and keychains/keyrings.
The keychain can be gold or silver and the keys can be silver or gold [or 14K or 18K]; It makes no difference, the keychain will hold all those keys.
4 Likes
ok. thanks.
clear
you can check even here
https://www.ssllabs.com/ssltest/analyze.html?d=community.letsencrypt.org&s=184.105.99.43
1 Like
That is not an ECDSA cert.
What should we be looking for?
2 Likes
I found why i confused.
shows key type as EC 256 bits
and checked private key file size it became small.
What is your Domain Name?
1 Like
You're linking here to the generic home page of the SSL Test service.
You said YOU have certificates issued with Certbot 2.6.0. Please provide actual example hostnames for which you're having doubts or troubles and please specify which troubles you have, if any.
4 Likes
Yeah, that's simply a certificate containing a ECDSA public key, signed by the RSA intermediate "R3".
If you want your ECDSA certificates signed by the ECDSA intermediate E1, you need to sign up for the opt-in allow-list mentioned here: ECDSA availability in production environment
In practice, it doesn't really matter if your chain is ECDSA only or a combination of ECDSA and RSA. Only with HUGE amount of connections, the size of the certificate (due to the size of the public key and signature) matters.
5 Likes
This is the certificate presently being served crt.sh | 9532971513
The full certificate chain.
$ openssl s_client -showcerts -servername moodle.variolms.com -connect moodle.variolms.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = moodle.variolms.com
verify return:1
---
Certificate chain
0 s:CN = moodle.variolms.com
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: May 31 08:31:17 2023 GMT; NotAfter: Aug 29 08:31:16 2023 GMT
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA5U/gGkfxCdYqzP09jcm8qkxMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA1MzEwODMxMTdaFw0yMzA4MjkwODMxMTZaMB4xHDAaBgNVBAMT
E21vb2RsZS52YXJpb2xtcy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJ
vKC6d/TAZXsEGF+4xpQ1c/ausNtcMe3hOpo9WYPxWPfTmlHXtueINJzOI1RzEAzj
cxnE19ksaTH42iB+NS6Io4ICTjCCAkowDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSr
kRExk6dAylYnFMWNftHDx5mgzDAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+d
ixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxl
bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAeBgNV
HREEFzAVghNtb29kbGUudmFyaW9sbXMuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIB
MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAejKMVNi3LbYg6jjg
Uh7phBZwMhOFTTvSK8E6V6NS61IAAAGIcSW5QAAABAMARzBFAiEA+SCvrdJZX2u0
687+2UWxd+nUO8IM8qDOnq2rbGsXgn0CIHWP2MYAljcIuK6O/eALMBel6EOcXyie
2s4ulY8oCExxAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGI
cSW5cwAABAMARzBFAiEAz32Zrp7QPKTkABUN1s4VB2mdE6+EB4uKO2qCucyu0DQC
IFPGb1tQoVHNbZ0JzOkCgbOVzVMEMxhfDdQfMq/UWu1hMA0GCSqGSIb3DQEBCwUA
A4IBAQBFbqoKGkJk9iv575zE03naKn7ST79Ft5HaoPY7eZ6CYdhXBKZQK8zW5enP
lN90bC2ReW8BzVz/ogXXD5ajrcpuYoC2ZaAA398S53FXmn3BP9Tqy7XHCh1EBo0s
1nbtrpmGkRevwpeGQ2rqF5TbIKsLp1QrW+uZepIYaUJYpyooWporZnG+ohw74Vjd
nvBWC+onvvA4EIjDmJPMhSUxV5yC2D7EkAFYA2HVBs22mUC6J0T4fRpEijgwC1zC
d080oGqUR6Eetrx9gdbrYS/mdsO2APqICFIxkb16D9gQjq2vElBtW8U0qCa2D3w1
EVcViXfWOh/NTuJ9rn81+vscWV/P
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = moodle.variolms.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4196 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.