Lets Encrypt ECDSA certificate request for new accounts

Hello there,

I am a consumer of Lets Encrypt certs generated by cert-manager. We have currently 10 clusters that is running the certs. For each cluster its a new account. I wanted to move to ECDSA certs instead of RSA. I found out that I need to fill out a form to add to allowlist from the accounts that need ECDSA certs. I can do for the existing environments

Is it possible to add to the whitelist based on the domains instead of the accounts? because if we create new environments, then we need to wait till the account is added ot allowlist to get the certs issued. If its not possible can you suggest some alternatives, thats possible other than deploy new environment, get new account, request account to add in allowlist and wait for it?

Best Regards,
Allan John

Do you need a complete ECDSA chain [and root]?
OR just an ECDSA cert?
[two very different requests]

Thanks for replying fast. I need ECDSA chain.

OK.
Do you need to use a separate LE account for each cluster?

It's not unfortunately. And I don't think Let's Encrypt will add this option, as I believe Let's Encrypt is working towards making the ECDSA-only chain the default for all ECDSA end leaf certificates (although I'm not familiar with an exact time table).

Thanks for the response and I am glad to know that Let's Encrypt is working to make this feature possible.

What feature? The allowlist was always meant as a temporary method, until ISRG Root X2 is wildely trusted.

Any idea like a timeline when this can be expected?

Where "exact" also means "rough" to be honest.

we have many services running, so I believe with one account, we might hit the limit with number of certificates that can be issued? I understand its 100. Please correct me if I am wrong

Please see Rate Limits - Let's Encrypt

The real relevant rate limit with regard to accounts here is:

You can create a maximum of 300 New Orders per account per 3 hours.

So if you require more than 300 certificates per 3 hours continuously, then yes, you need more accounts. But I highly doubt that.

Are you sure you're not mixing up two different things? Anyone can request ECDSA certificates, and it's indeed the default now for popular clients (certbot, acme.sh, others).

By default those ECDSA certificates will be issued by an RSA intermediate (R3), but that should not make any functional difference for your server nor your clients (wrt. choice of ciphers, handshake performance, etc, that all depends exclusively on the leaf certificate type). Only if you want your ECDSA certificates to be issued by an ECDSA intermediate (E1), you can currently request this on account basis via the allowlist, until this becomes the default on LE side.

So I can use a single account to request certificates for multiple domain names?

Sure, no problem at all.

We have a requirement from our Security team, that we need to have our full chain certs in ECDSA. I understand the ECDSA chain can be possible with allowlist. So I wanted to know when will ECDSA be by default, so I can plan accordingly what changes to make

I'd like to hear their reasons.

We will likely have general availability of ECDSA chains on our next set of intermediates in Q1 or Q2 of 2024. No guarantee of schedule, but we don’t want to have to maintain a list either.

Yes. You should probably also fill out a ratelimit request form too and note that you are consolidating many accounts and services under one account to get the full ECDSA chain to E1.

I think full ecdsa deployment will come when LE finally retire DST root x3 long chain, so it doesn't have super long chain