It is funny – at this moment we are using DV GeoTrust SSL Cert but has no support for ECC. We talked about ECC SSL (ECDSA) Certificate in previously published article around whether to upgrade or not. You can read that if you missed it. Few Costly Paid SSL Have Support For ECC. Let’s Encrypt Supports For Free. Here is How To Generate Let’s Encrypt ECC SSL (ECDSA) Certificate.
Let’s Encrypt supports ECC SSL (ECDSA) certificate is actually a point for our article Let’s Encrypt Versus Paid DV SSL Certificates. We purchased GeoTrust DV SSL up to 4 August 2018. There are actually many such victims. None every tested with two sets of SSL Certificates from CA with two algorithms. Such combination can DANE TLSA record invalid.
How To Generate Let’s Encrypt ECC SSL (ECDSA) Certificate
Run openssl version command to check OpenSSL version, output should be minimum like ours example :
1 2 | root@abhishekghosh:/etc/# openssl version OpenSSL 1.0.2g 1 Mar 2016 |
We already have guide on how to use CertBot on Ubuntu 16.04, Nginx. Please follow that series if you are not used with generating normal SSL/TLS Certificate with Let’s Encrypt/CertBot. If you are used, in those guides, we cloned CertBot GitHub repo to /opt/certbot and symlinked with /usr/bin/certbot or do not have RSA SSL certificates. Keep those old RSA certificates. We will use both together. We have to create a new private key. Change directory to inside the clone of GitHub repo. We will be using secp384r1 (Elliptic curve). Let us name it as named ecc.key. Run this command :
1 | sudo openssl ecparam -genkey -name secp384r1 | sudo openssl ec -out ecc.key |
Now we need to generate the CSR (we will named it as ecc.csr) with that private key :
1 | sudo openssl req -new -sha256 -key ecc.key -nodes -out ecc.csr -outform pem |
A promo will start like this, fill up that :
---
1 2 3 4 5 6 7 8 9 10 11 12 | Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:y Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
If you do a ls, you will see those two certificates. For practical purpose move all to where all the certificates are. It was /etc/letsencrypt/live/bmch.in/ in our case. For the previous guide’s example webroot and domain name, we will run this command (/var/www/html was web root, bmch.in was domain) :
1 | ./certbot-auto certonly -w /var/www/html -d bmch.in --email "admin@bmch.in" --csr "/etc/letsencrypt/live/bmch.in/ecc.csr" --agree-tos |
You should be prompted with this kind of screen in your SSH. Choose option 2.
If everything goes fine, that should give you certificates with name like 0000-cert.pem, 0001-fullchain.pem. You can have trouble with the renewal process of ECDSA certificates. You need to run certbot certonly to pass the --csr argument manually for renewal like generating new one.
How To Use Let’s Encrypt ECC SSL (ECDSA) Certificate With RSA Certificates in Case of Nginx
In our previous guide, the Nginx certificate part was like :
1 2 3 4 5 6 7 8 9 10 11 12 | ... ssl_certificate /etc/letsencrypt/live/bmch.in/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/bmch.in/privkey.pem; ssl_dhparam /etc/letsencrypt/live/bmch.in/dhparam.pem; ssl_stapling on; ssl_stapling_verify off; ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; ssl_trusted_certificate /etc/letsencrypt/live/bmch.in/lets-encrypt-x3-cross-signed.pem; ssl_ecdh_curve prime256v1; ... |
Only add two lines the new path :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | ... ssl_certificate /etc/letsencrypt/live/bmch.in/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/bmch.in/privkey.pem; ssl_dhparam /etc/letsencrypt/live/bmch.in/dhparam.pem; # new for ECDSA ssl_certificate /etc/letsencrypt/live/bmch.in/0001_chain.pem; ssl_certificate_key /etc/letsencrypt/live/bmch.in/ecc.pem; # new ended ssl_stapling on; ssl_stapling_verify off; ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; ssl_trusted_certificate /etc/letsencrypt/live/bmch.in/lets-encrypt-x3-cross-signed.pem; ssl_ecdh_curve prime256v1; ... |
Why ssl_stapling_verify off; that is written in this guide – it gives OCSP Response Expired error.
Easy thing. Now run Nginx config test :
1 | nginx -t |
And restrart Nginx :
1 | service nginx restart |
You can test on this website :
1 | https://tls.imirhil.fr |
