Using certbot --apache to get ecdsa.- How?

Wakithard · August 5, 2025, 9:08am

A little information for you all.

I had hoped that the command below would produce a ECC cert and not a ECDSA and not 128bit. But it seems like the options after --apache2 does not work with certbot.

So how do i do this while using the --apache command ?

My domain is:
vintagehifi.dk

I ran this command:
certbot --apache --key-type ecdsa --elliptic-curve secp384r1 -d vintagehifi.dk -d www.vintagehifi.dk

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/vintagehifi.dk.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for vintagehifi.dk and www.vintagehifi.dk

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/vintagehifi.dk/fullchain.pem
Key is saved at: /etc/letsencrypt/live/vintagehifi.dk/privkey.pem
This certificate expires on 2025-11-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for vintagehifi.dk to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Successfully deployed certificate for www.vintagehifi.dk to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: vintagehifi.dk
Serial Number: 5b240d24ede40e0100d9684de954d2ec6fa
Key Type: ECDSA
Domains: vintagehifi.dk www.vintagehifi.dk
Expiry Date: 2025-11-03 08:00:58+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/vintagehifi.dk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vintagehifi.dk/privkey.pem

My web server is (include version):
Apache2 lastest

The operating system my web server runs on is (include version):

Ubuntu 24.04

webprofusion · August 5, 2025, 9:16am

From Google:

ECDSA, or Elliptic Curve Digital Signature Algorithm, is a cryptographic algorithm used to create digital signatures. It's a variant of the Digital Signature Algorithm (DSA) that uses elliptic curve cryptography (ECC)

It's pretty much done what you asked for. Key bit size has a different meaning when talking about RSA vs EC

Wakithard · August 5, 2025, 9:27am

You are right. It set in /etc/letsencrypt/options-ssl-apache.conf

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384
SSLHonorCipherOrder on

Thx

Topic		Replies	Views
How do I obtain an ECDSA certificate with Certbot? Help	4	10739	January 1, 2021
ECC Certificate Request with --CSR option Help	3	345	March 23, 2024
ECDSA Do I need to update the cert Help	6	769	May 26, 2024
Howto obtain ECDSA cert (in addition to RSA) with certbot? Server	5	17847	June 11, 2018
Key-type = ecdsa Help	13	6147	May 2, 2021

Using certbot --apache to get ecdsa.- How?

Related topics