On 5/29/19 9:58 AM, Florian Obser wrote:
On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote:Hello, First, sorry for double posting to misc@. This is a short patch to let acme-client accept ECDSA keys now that letsencrypt accepts signing certificates with those keys. This functionality is present in certbot, so it might be a good idea to let acme-client accept that too.thanksThe key needs to be generated manually i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pemwhy not let acme-client generate the key?
I prefer to first enable testing for everyone to be able to spot the eventual problems with those certs. For example, opensmtpd and relayd still don't support ecdsa certs because they to don't have a privsep engine for that yet, so you certainly don't want ecdsa to be the default at the moment.
But, yes, I plan to make a patch to enable generating ecdsa keys. It will mainly be useful when Letsencrypt will allow signing with ecdsa too.
smime.p7s
Description: S/MIME Cryptographic Signature
