Problem Issuing EC-384 Certificate

I receive the following error now that I try to get an EC certificate using staging:

Error: urn:acme:error:malformed :: The request message was malformed :: Error unmarshaling certificate request

My CSR is the following:

-----BEGIN CERTIFICATE REQUEST-----
MIICkjCCAhgCAQAwgYoxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdGhlbnMxDzAN
BgNVBAcMBkF0aGVuczEOMAwGA1UECgwFSmFzb24xCzAJBgNVBAsMAklUMRMwEQYD
VQQDDAp3aW5wYWNrLmNmMScwJQYJKoZIhvcNAQkBFhh3aW5wYWNramFzb25Ab3V0
bG9vay5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR0aRzxQcjVmz7sZUNGoKjc
JYm+b7dJNtLYbxjjAQww+Y4at6vCT1AIjv9q6em5yOboL4QBkWDL+lebV/6TBveG
NeOS+ZgvUkXMjluVPS+nl+6M46cI+1LVQWCNJzenid6gggEMMIIBCAYJKoZIhvcN
AQkOMYH6MIH3MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgP4MCAGA1UdJQEB/wQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBtwYDVR0RBIGvMIGsggp3aW5wYWNrLmNm
gg53d3cud2lucGFjay5jZoIPbWFpbC53aW5wYWNrLmNmgg1teC53aW5wYWNrLmNm
gg5teDIud2lucGFjay5jZoIOd2lucGFjay5ldS5vcmeCEnd3dy53aW5wYWNrLmV1
Lm9yZ4ITbWFpbC53aW5wYWNrLmV1Lm9yZ4IRbXgud2lucGFjay5ldS5vcmeCEm14
Mi53aW5wYWNrLmV1Lm9yZzAKBggqhkjOPQQDBANoADBlAjEAp/t3wm2bZY5zOWz5
VP8T7TSVlMOkpuOVvMMI80t9pYrITTTQ7WBAgdT9jWGPmZSiAjA7dJMgSGx/JGgR
l1paiVqp3YhvG6slC3x6nFwopy4YYbnpP9J4sYzgmDlnOJwSRNE=
-----END CERTIFICATE REQUEST-----

I do not understand: where is the problem?

I don’t know for sure that’s the problem, but your CSR uses SHA512 as its hash function… Try SHA256 perhaps?

OK, I figured the problem. I had specified some critical extensions that LE wasn’t going to issue, so I fixed that. However, I am now getting:

The request message was malformed :: Invalid key in certificate request :: ECDSA curve P-384 not allowed

@jsha Doesn’t the production server support EC-384 yet?

No, the 384 curve is not currently enabled.

May I ask why? And also why staging doesn’t support P-521?

We haven’t yet made the necessary config changes following last week’s deploy. We will get to it, but we have a lot of higher priorities this week.

May I also ask exactly what KeyUsages are allowed by LE?

Details are on the other thread: ECDSA testing on staging. We will support Digital Signature. Part of the delay was the requisite code change to support different KeyUsages for different types of EE certs.

Hi, is there an issue for the KeyUsages changes?
I can not find it and it is not related to the EC Milestone.

Do you mean Switch between CFSSL profiles based on EE cert type #1384 and Allow CFSSL profiles to be selected by key type #1389?

I think yes, i did not know that it is called CFSSL and found no link from the EC thread.
Thanks for the reply.