I am a consumer of Lets Encrypt certs generated by cert-manager. We have currently 10 clusters that is running the certs. For each cluster its a new account. I wanted to move to ECDSA certs instead of RSA. I found out that I need to fill out a form to add to allowlist from the accounts that need ECDSA certs. I can do for the existing environments
Is it possible to add to the whitelist based on the domains instead of the accounts? because if we create new environments, then we need to wait till the account is added ot allowlist to get the certs issued. If its not possible can you suggest some alternatives, thats possible other than deploy new environment, get new account, request account to add in allowlist and wait for it?
It's not unfortunately. And I don't think Let's Encrypt will add this option, as I believe Let's Encrypt is working towards making the ECDSA-only chain the default for all ECDSA end leaf certificates (although I'm not familiar with an exact time table).
By default those ECDSA certificates will be issued by an RSA intermediate (R3), but that should not make any functional difference for your server nor your clients (wrt. choice of ciphers, handshake performance, etc, that all depends exclusively on the leaf certificate type). Only if you want your ECDSA certificates to be issued by an ECDSA intermediate (E1), you can currently request this on account basis via the allowlist, until this becomes the default on LE side.
We have a requirement from our Security team, that we need to have our full chain certs in ECDSA. I understand the ECDSA chain can be possible with allowlist. So I wanted to know when will ECDSA be by default, so I can plan accordingly what changes to make