For initial certs. If you include the above parameter, my question is whether certbot produces both RSA + ECDSA certs or whether I need to run the command without the parameter to generate an RSA cert. Same question applies to Renewals. I want certbot to generate both RSA and ECDHE certs.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Let's Encrypt returns an ECDSA certificate if an ECDSA key was presented in the CSR or an RSA certificate if an RSA key was presented in the CSR. Thus, you would need to run certbot twice (once with the parameter and once without).
Ok, thanks for that clarification. That is definitely not clear from the documentation. How about renewals? Do I need to run that twice? Or will running just "certbot renew" work?
It's not something I've tested, but my expectation would be that if you use --cert-name to ensure that you're making two separate certificates, and one is ECDSA and one is RSA, renewing would renew both even though they're both for the same domain. You should be able to test it's all good with some --dry-run renewals I'd think.
(Though before you make things overly complicated for yourself, do confirm that you actually still need RSA support at all. There is very little left that doesn't support ECDSA, though I do suppose it's not zero quite yet, and those older systems may not handle other stuff you might want like TLS 1.2 either.)
The default is to generate an RSA based end-entity certificate. If you specify the key-type it will generate whatever is specified. It does not generate both. I believe that if you do a renewal certbot will use the key-type of the ‘live’ certificate to generate the request for the renewal. You can test this functionality and check on the renewal aspect with the Staging environment.
Certbot will generate an ECDSA or RSA keypair for your end-entity certificate and Let’s Encrypt will sign your CSR with the RSA R3 intermediate that chains to the RSA Root X1. In the near future, Let’s Encrypt will start signing with the ECDSA E1 intermediates depending on which key-type is presented.
when you use the --cert-name parameter, do you have to have an explicit name or is the file extension appended to what you specify. so if I use --cert-name example.com-ecdsa does this create a file example.com-ecdsa.pem?
Using --cert-name example.com-ecdsa would create folders named /etc/letsencrypt/archive and /etc/letsencrypt/live under which would be an example.com-ecdsa folder containing the usual cert.pem, chain.pem, fullchain.pem, and privkey.pem files.
The folder name corresponds to the certificate name, but has no actual correspondence to the domain names covered by the certificate unless you make it so.
The certificate name is just a label used for organization.
It names the cert for use in certbot. That name is used for a number of things, including the naming of the directories. If you thought it would change something inside the actual certificate, then no. That doesn't mean the term "cert-name" is incorrect though.
