Key-type = ecdsa

For initial certs. If you include the above parameter, my question is whether certbot produces both RSA + ECDSA certs or whether I need to run the command without the parameter to generate an RSA cert. Same question applies to Renewals. I want certbot to generate both RSA and ECDHE certs.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --preferred-challenges dns-01 --manual --manual-auth-hook {INSTALL_PATH}/automation/authenticators/ --manual-cleanup-hook {INSTALL_PATH}/automation/authenticators/ -d "*.${domain},$domain" --server $ACME_SERVER --email EMAIL_ADDRESS --manual-public-ip-logging-ok --cert-name "{domain}-ecdsa"

It produced this output: have not run it yet. Looking for guidance

My web server is (include version): n/a

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.13.0


Welcome Back :slightly_smiling_face:

Let's Encrypt returns an ECDSA certificate if an ECDSA key was presented in the CSR or an RSA certificate if an RSA key was presented in the CSR. Thus, you would need to run certbot twice (once with the parameter and once without).

1 Like

Ok, thanks for that clarification. That is definitely not clear from the documentation. How about renewals? Do I need to run that twice? Or will running just "certbot renew" work?

1 Like

It's not something I've tested, but my expectation would be that if you use --cert-name to ensure that you're making two separate certificates, and one is ECDSA and one is RSA, renewing would renew both even though they're both for the same domain. You should be able to test it's all good with some --dry-run renewals I'd think.

(Though before you make things overly complicated for yourself, do confirm that you actually still need RSA support at all. There is very little left that doesn't support ECDSA, though I do suppose it's not zero quite yet, and those older systems may not handle other stuff you might want like TLS 1.2 either.)


The default is to generate an RSA based end-entity certificate. If you specify the key-type it will generate whatever is specified. It does not generate both. I believe that if you do a renewal certbot will use the key-type of the ‘live’ certificate to generate the request for the renewal. You can test this functionality and check on the renewal aspect with the Staging environment.

Certbot will generate an ECDSA or RSA keypair for your end-entity certificate and Let’s Encrypt will sign your CSR with the RSA R3 intermediate that chains to the RSA Root X1. In the near future, Let’s Encrypt will start signing with the ECDSA E1 intermediates depending on which key-type is presented.


You're absolutely correct :slight_smile:

1 Like

I thought it already happened. :sweat_smile:

Got ahead of myself.

You're right of course about the key generation part. I was only describing the process from the perspective of Boulder since key generated = key CSR.

1 Like

when you use the --cert-name parameter, do you have to have an explicit name or is the file extension appended to what you specify. so if I use --cert-name does this create a file


Using --cert-name would create folders named /etc/letsencrypt/archive and /etc/letsencrypt/live under which would be an folder containing the usual cert.pem, chain.pem, fullchain.pem, and privkey.pem files.

It would also be used as "Certificate name" in the certbot certificates command.

I usually call my certificates (with --cert-name) something like and

1 Like

So the --cert-name parameter does not really name the certificates but instead creates a folder. That is not intuitive...

1 Like

The folder name corresponds to the certificate name, but has no actual correspondence to the domain names covered by the certificate unless you make it so. :upside_down_face:

The certificate name is just a label used for organization.

It names the cert for use in certbot. That name is used for a number of things, including the naming of the directories. If you thought it would change something inside the actual certificate, then no. That doesn't mean the term "cert-name" is incorrect though.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.