Obtaining an Elliptic Curve certificate from Let's Encrypt #51
Comments
|
Under the hood AutoACME uses Certes for LE interaction. I haven't checked the code, but using ES256, ES384 or ES512 as key algorithm may actually do the trick, see https://github.com/fszlin/certes/blob/main/src/Certes/KeyAlgorithm.cs |
|
Good hint. I can confirm: setting KeyAlgorithm to ES256 allowed to obtain an EC certificate from LE. Both when adding new host and when renewing an old RSA certificate. Subsequently, IIS (Win 2012 r2) offers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) cipfer with this certificate, which SSL Labs did not consider to be weak. However, to have Grade A in SSL Labs, you don't need to use EC Certificates but disable TLS 1.0 and 1.1. |
|
Thank you very much for your feedback! I'll add this to the documentation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an option to obtain an EC certificate from LE with autoacme? All ciphers used by IIS with RSA certs (at least under Windows 2012 r2) are considered weak by Qualys SSL Labs. IIS does not use EC ciphers without EC certificates.
BTW there is an undocumented option "KeyAlgorithm": "RS256" in a config file, but I do not know if and how we could use it.
The text was updated successfully, but these errors were encountered: