-
Notifications
You must be signed in to change notification settings - Fork 383
Elliptic curve keys and certs
GetSSL supports the use of Elliptic curve keys: prime256v1 (NIST P-256) and secp384r1 (NIST P-384). secp521r1 (NIST P-521) is included in the code, but not currently supported by Let's Encrypt).
You can create your own account key using openssl
openssl ecparam -genkey -name alg-type > /path/to/account.key
where alg-type is prime256v1, secp384r1 or secp521r1 (the latter not currently supported by Let's Encrypt)
Alternatively you can just specify ACCOUNT_KEY="path/to/account.key"
and ACCOUNT_KEY_TYPE="secp384r1"
in the getssl.cfg file. As long as the account key does not already exist, it will be created.
If you set the PRIVATE_KEY_ALG
to one of the EC values ( such as prime256v1 or secp521r1 ) then these will be used to sign the certificate.
If you specify "DUAL_RSA_ECDSA="true"
then 2 keys will be used, one (an RSA key ) in yourdomain.key and an EC key in yourdomain.ec.key which will use whatever algorithm is specified in PRIVATE_KEY_ALG
This will generate 2 CSR's ( one with extension .csr and the other .ec.csr) and two certificates ( one with extension .crt and the other .ec.crt). Recent versions of apache, nginx will allow you to specify certificates and the EC one used if the users browser supports it, if not it will use the RSA one.