Let's Encrypt ECDSA allowlist request

I have submitted this CSR a EC with secp384r1

-----BEGIN CERTIFICATE REQUEST-----
MIIBWjCB4QIBADAUMRIwEAYDVQQDDAlocC02Ny5jb20wdjAQBgcqhkjOPQIBBgUr
gQQAIgNiAAQm/uF65j/cdoIPTmFM8S0Yxy4v8MPxnRIG4l6ogiJzBsfMm+AbVbFJ
9RdSK/r38O9ow8PQ/ETNvVG5IUSlVgo8iI+Hwb6yeHq7oMI/W9TN7J/kWbSMLw4x
W3dD7Ng3aoygTjBMBgkqhkiG9w0BCQ4xPzA9MAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMCMGA1UdEQQcMBqCCWhwLTY3LmNvbYINd3d3LmhwLTY3LmNvbTAKBggqhkjO
PQQDAgNoADBlAjEA34SBaSuVhQKb4Ro0XRhMiOpqK1XbK/NSXuyU0jjgNu4x2y7X
a+BnChrqGSTb1MCFAjBmaLgayFOy5IwSqOnqZhS1wH0LbBrWiHbnF//AiXhO36lD
2i1cdwzoPH/qyeYtz1w=
-----END CERTIFICATE REQUEST-----

It was signed by Issuer R3
AIA: http://r3.i.lencr.org/

I though the EC CS would have been signed by E1, am I doing something wrong?

2 Likes

And here is the resulting certificate:

-----BEGIN CERTIFICATE-----
MIIEeDCCA2CgAwIBAgISBIjvf6e33qUY3u/lpI1gPMKiMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MTgyMjQxMjZaFw0yMTExMTYyMjQxMjRaMBQxEjAQBgNVBAMT
CWhwLTY3LmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABCb+4XrmP9x2gg9OYUzx
LRjHLi/ww/GdEgbiXqiCInMGx8yb4BtVsUn1F1Ir+vfw72jDw9D8RM29UbkhRKVW
CjyIj4fBvrJ4erugwj9b1M3sn+RZtIwvDjFbd0Ps2DdqjKOCAlIwggJOMA4GA1Ud
DwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUPwkQaf7uXrZRMBt3QtT8/nvybTwwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wIwYDVR0RBBwwGoIJaHAtNjcuY29tgg13d3cuaHAtNjcu
Y29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYB
BQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIE
AgSB9ASB8QDvAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF7
W6QZzgAABAMARjBEAiBgNjS2ErDuWTXBSe9xCT1jDURmayJqMufyVgmbh6Ug1AIg
MaYmT90JJBjZO5asqVQlwRrwlPB6qF0pjYDgjK6023QAdgBvU3asMfAxGdiZAKRR
Ff93FRwR2QLBACkGjbIImjfZEwAAAXtbpBoFAAAEAwBHMEUCIQD+Zd25mltS5/YV
/X5LMsH4zJAntH9j5dlw9XyfJcfWdgIgBn9pAFetp+x3qlXyXVTQHnxO/MKTJpIK
B8bdpH7cCv4wDQYJKoZIhvcNAQELBQADggEBALJuIn7uJJUd3g0tOpidhDYwOY4M
GRUwmOPaMheljPX8wnOOlPSu4rQ2mr2pPoNf2nmQnttuHWYy/76ccgEtp/nL73y9
uLcGbfc2R00IraGe3xT6pebPdMb9Zzrf1Ff8fe6CDTWXLq4iA0fTFvLnjWOAMhLZ
R7whcEgF322aC+0akMvYybVcHZtnNhZ6gDeYQs8R5ssp2/7J4rHwyPe/WQbawkfk
2hefgKTkT4ueb3yodBZ8xN/RaRSJxfH5+H5v5gIHf0Y45uk5yPVmCZs/omGu6W2X
ZD5Ggr82rcyNIfoy4Gh3pnAEuVIBmvgcChXI6E6sgFJxFd6xwS6+2ZqeeSA=
-----END CERTIFICATE-----
2 Likes

I did receive an email containing

Your request for your ACME account ID to be placed on the Let's Encrypt ECDSA allowlist has been moved to production. Now when you request a cert from Let's Encrypt with your ECDSA key, the cert will be issued from our ECDSA hierarchy.

And here is the Let's Encrypt's Hierarchay as of August 2021
[Chain of Trust - Let's Encrypt](https://Let's Encrypt's Hierarchay as of August 2021)

1 Like

Your CSR looks good to me, and as you say your cert is issued by R3, so it's the RSA chain. Looks like maybe the allowlist takes a while to propagate? When did you get that email?

2 Likes

Welcome to the Let's Encrypt Community, Bruce :slightly_smiling_face:

I know this will probably sound obvious, but are you certain that you used the same ACME account to issue your recent certificate that you submitted for the ECDSA allowlist?

Do you know the ACME account URL that you sent for the allowlist and the one that was used for issuance? (Neither are sensitive information for purposes of posting here.)

3 Likes

July 20, 2021

1 Like

I believe so, but I will double check.

Thanks!

2 Likes

I am not sure how find Let's Encrypt account ID,
I've been using https://gethttpsforfree.com/ as
my ACME Client.

Here is the email address I use:
sir.bruce.a.mitchell@gmail.com

and the public key SSL Key for it:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsGJWcwfXnPtyveMc98Cm
NJKWWzSN7rxNKqIPEzGi8F7H2F+CO1qGWgWo//C8nWigXwRvcUr1dkkgJfeZgPlV
deiEmWCkVBovvQNkGG5LTww/A7PAIhivyDyps+M55rKOg3AyWl87K/imTpK9z7JC
JqzpPrl6tu3aFcKwWEOCFAaHyj1D9h5DRR1CC3pMOMua2/RVl8L6LH9tQ7Ho/orq
WCsaZbYDp4IigPus+vSkOb+KJMTrr0g+CvcpeZr+nh0hctiTpuo7dSmf8ewgXFjh
zyAQ7+v1vp+lZ08k8cazmSuDyxzc9y+gVJ33bxooI9y0P1cPyJU37jLV+ssodzUK
9htsN6/LAL3Y9I2EHonoFGLsDDsklRFh7DpIyXK/d2VExV7V2UeB47bzvDKV8Yjl
qF88KdeC9MiqHYecdD2UHFS0hU9rga5A8QMoV2idv0mD+h4luRUhL2J1rSVIpl/D
zsIhUxRX5km6S/dsFcfy+ZjQaZFbkDFZDe2tBdalIzpCqcelhD67Qen6lDbWAh8x
rzmE5Iddv6DQe8o46mcH3w5c6r54yuN83gEluxVkealYFdDXPkLNzr3cwf+GZ5kP
YGMJCCmxU220uEPLrctl1P2Kp50mfDSlbhvxXBq8OSBXBDK7JOYyfQJ5n4Ee67nU
I4JHkdc/Io28ws8GZ3l7+VMCAwEAAQ==
-----END PUBLIC KEY-----

This really links to How do I to find my Let's Encrypt account ID when using https://gethttpsforfree.com/?

Yeah, that's what got me to do this postHow do I to Let’s Encrypt account ID when using https://gethttpsforfree.com/?
Thank you!
:wink:

Well I believe I am using the same ACME account, found the answer to finding my ACME account here:

However my ECDSA certificate request is still being signed by R3 and not E1.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.