ECDSA Support

[jeffsani]

I did not see a parameter to support the request of ECDSA certs from ACMEv2. Am I missing something?

Thanks,
Jeff

[bllfr0g]

It's KEY_ALGO.

…

On 1/29/22 14:13, Jeff Sani wrote: I did not see a parameter to support the request of ECDSA certs from ACMEv2. Am I missing something? Thanks, Jeff — Reply to this email directly, view it on GitHub <#863>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJO74S3YQIC3VFJ72AAXKPTUYRRCBANCNFSM5NDMTSTQ>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.KEY_Message ID: ***@***.***>

[jeffsani]

Ok thanks - I see that:

Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

#KEY_ALGO=secp384r1

But it is still not clear to me. RSA is obvious, I presume prime256v1 and secp384ri are EC+DSA? With Certbot, this is simply --key-type ecdsa or rsa.

[bllfr0g]

prime256v1 is a 256 bit curve used with ecdsa. Secp3841 is a 384 bit curve. Looks like certbot uses prime256v1 if you choose ecdsa and do not specify a curve. Choosing the curve for ecdsa is kind of analogous to choosing key length for rsa.

…

On Jan 29, 2022, at 16:07, Jeff Sani ***@***.***> wrote:  Ok thanks - I see that: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 #KEY_ALGO=secp384r1 But it is still not clear to me. RSA is obvious, I presume prime256v1 and secp384ri are EC+DSA? With Certbot, this is simply --key-type ecdsa or rsa. — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[jeffsani]

Got it thanks!

[jeffsani]

So in domains_txt.md:
https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md

It has:

then add a config file certs/star_service_example_org_rsa/config with the value

KEY_ALGO="rsa"
or respectively

KEY_ALGO="ecdsa"

but in the config example, it is:

Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

#KEY_ALGO=secp384r1

is ecdca as an option deprecated?

[bllfr0g]

That may be a doc bug. I’m not sure if ecdsa was ever a valid option there, but it definitely isn’t now.

…

On Jan 31, 2022, at 13:05, Jeff Sani ***@***.***> wrote:  So in domains_txt.md: https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md It has: then add a config file certs/star_service_example_org_rsa/config with the value KEY_ALGO="rsa" or respectively KEY_ALGO="ecdsa" but in the config example, it is: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 #KEY_ALGO=secp384r1 is ecdca as an option deprecated? — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[danrodrig]

The reference to ecdsa in https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md?plain=1#L58 is a bug indeed, #861.

The allowed values for KEY_ALGO are listed in https://github.com/dehydrated-io/dehydrated/blob/master/dehydrated#L320.