Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nyiix.net

I ran this command:
certbot certonly --manual --email admin@telehouse.com --agree-tos --preferred-challenges dns --rsa-key-size 2048 -d *.nyiix.net -d *.laiix.net

It produced this output:
a cert with a 256 rsa key

openssl x509 -in cert.pem -text -noout|more

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:db:1d:1c:97:22:6e:60:d6:11:4e:d6:65:b4:96:f7:7c:70
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E7
Validity
Not Before: Oct 9 16:11:21 2025 GMT
Not After : Jan 7 16:11:20 2026 GMT
Subject: CN = *.nyiix.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:12:28:9f:3e:c0:99:b7:b6:2f:73:0f:73:54:e0:
a7:e3:0f:41:8a:54:93:22:99:32:ce:7d:60:b8:fd:
31:d8:0f:16:0c:e3:e9:63:61:e2:63:a5:d7:cd:7b:
78:5e:f3:9c:29:35:ba:55:09:f3:a5:3e:e7:c8:13:
e9:6b:f5:55:50
ASN1 OID: prime256v1
NIST CURVE: P-256

My web server is (include version):
apache2 -v
Server version: Apache/2.4.58 (Ubuntu)
Server built: 2025-08-11T11:10:09

The operating system my web server runs on is (include version):
cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"

My hosting provider, if applicable, is: NONE

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

Yeah, Certbot is a little bit dumb in that sense: it defaults to ECDSA. It doesn't matter if you specify the --rsa-key-size option, it still will generate a EDCSA keypair.

You need to specify rsa as the value for the --key-type option.

And 2048 is already the default keysize for RSA keys, so no need to specify that extra, unless you also have it specified in your cli.ini for example.

By the way: is there a specific reason why you want 2048 bit keysize? Because it isn't necessarily "better" than the 256 bits of the ECDSA key. You can't compare 2048 with 256 as those are completely different algorithms! To be more specific: those key sizes are about equivalent!

See e.g. ECDSA vs RSA - Cryptographic Strength and Efficiency | by Jeeva-AWSLabsJourney | Medium for a comparison of RSA vs. ECDSA.

By the way: is there a specific reason why you want 2048 bit keysize? ---> The sub application I am using requires 2048 bits

It likely requires RSA key type then.

What ancient relic of bygone days is that?

Likely something embedded, possibly of IoT.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.