Let’s get a curve!

The curve

openssl version #3.0.0-dev
openssl ecparam -list_curves | less

mainly those two are supported by average clients

  secp384r1 : NIST/SECG curve over a 384 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

so let’s proceed with the supposedly fastest one

cd ~/certs/
#openssl ecparam -genkey -name prime256v1 | openssl ec -out prime256v1.key
openssl ecparam -genkey -name prime256v1 > prime256v1.key
ls -lF prime256v1.key
chmod 400 prime256v1.key

CSR

cp -f /usr/local/ssl/openssl.cnf.dist /usr/local/ssl/openssl.cnf
vi /usr/local/ssl/openssl.cnf

[ req_distinguished_name ]
countryName_default             = FR
#stateOrProvinceName_default     = 
localityName_default            = Paris 
emailAddress_default            = pbraun@nethence.com

openssl req -new -sha256 -key prime256v1.key -out xc.nethence.com.csr -config /usr/local/ssl/openssl.cnf
cat xc.nethence.com.csr

Dehydrated

git clone https://github.com/lukas2511/dehydrated.git
cp dehydrated/dehydrated /usr/local/bin/
dehydrated -h

mkdir -p /etc/dehydrated/
cp dehydrated/docs/examples/config /etc/dehydrated/
vi /etc/dehydrated/config     

IP_VERSION=4
CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
WELLKNOWN="/data/www/xc.nethence.com/.well-known/acme-challenge"

mkdir -p /data/www/xc.nethence.com/.well-known/acme-challenge/

accept the terms

dehydrated --register --accept-terms
ll /etc/dehydrated/accounts/

attempt to get your CSR signed

dehydrated --signcsr /root/certs/xc.nethence.com.csr > prime256v1.crt

and check

openssl x509 -in prime256v1.crt -noout -text

Resource

Upcoming Features https://letsencrypt.org/upcoming-features/

Documentation https://www.ssllabs.com/projects/documentation/index.html

SSL Labs Known Issues https://discussions.qualys.com/docs/DOC-4865

curves

Testing out ECDSA certificates https://scotthelme.co.uk/ecdsa-certificates/

Howto obtain ECDSA cert (in addition to RSA) with certbot? https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687/3

Obtaining an Elliptic Curve certificate from Let’s Encrypt https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc

How to obtain an ECDSA wildcard certificate from Let’s Encrypt https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe

Using ECDSA certificates with Let’s Encrypt https://www.ericlight.com/using-ecdsa-certificates-with-lets-encrypt

dehydrated

Dehydrated: a bash client for Let’s Encrypt https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/

WELLKNOWN https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md

WELLKNOWN documentation gives conflicting statements #193 https://github.com/lukas2511/dehydrated/issues/193

Dehydrated и Let’s Encrypt https://sysadmin.pm/dehydrated-letsencrypt/

I can not renew a certificate (dehydrated) https://community.letsencrypt.org/t/i-can-not-renew-a-certificate-dehydrated/77487

other acme

ACME Client Implementations https://letsencrypt.org/docs/client-options/

ACMEv2 client written in plain C code with minimal dependencies https://github.com/ndilieto/uacme/

A pure Unix shell script implementing ACME client protocol https://acme.sh https://github.com/Neilpang/acme.sh

Testing TLS/SSL encryption https://testssl.sh/

rfcs

Algorithms and Identifiers https://tools.ietf.org/html/rfc3279


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml