Let’s get a curve!

The curve

which openssl
openssl version #1.1.1g or 3.0.0-dev
openssl ecparam -list_curves

mainly those two are supported by average clients

  secp384r1 : NIST/SECG curve over a 384 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

so let’s proceed with the supposedly fastest one

cd /etc/ssl/
domain=DOMAIN.TLD

#openssl ecparam -genkey -name prime256v1 | openssl ec -out $domain.key
openssl ecparam -genkey -name prime256v1 > $domain.key
ls -lhF $domain.key
chmod 400 $domain.key

CSR

netbsd does not have any .cnf by default

cp -i /usr/local/ssl/openssl.cnf.dist /usr/local/ssl/openssl.cnf
vi /usr/local/ssl/openssl.cnf

anyways take the chance to tune it on ubuntu

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openssl.cnf

[ req_distinguished_name ]
countryName_default             = FR
#stateOrProvinceName_default     = 
localityName_default            = Paris 
#0.organizationName_default     = Internet Widgits Pty Ltd
emailAddress_default            = pbraun@nethence.com

openssl req -new -sha256 -key $domain.key -out $domain.csr -config /etc/ssl/openssl.cnf
ls -lhF *.csr

TODO add CN=$domain as part of the command line for csr generation

Dehydrated

See dehydrated

Acceptance

notice there are both certs in there, including the intermediate at the end, and check

    cat $domain.crt
    openssl x509 -in $domain.crt -noout -text | less

Moar

look at the CA Issuers field and obtain the intermediate certificate

wget -O lex3.der cert.int-x3.letsencrypt.org
openssl x509 -in lex3.der -inform der -noout -text | less
openssl x509 -in lex3.der -inform der -out lex3.crt -outform pem

draft but optional

#wget http://apps.identrust.com/roots/dstrootcax3.p7c
#openssl pkcs7 -print_certs -in dstrootcax3.p7c -out dstrootcax3.crt

Resources

Upcoming Features https://letsencrypt.org/upcoming-features/

Documentation https://www.ssllabs.com/projects/documentation/index.html

SSL Labs Known Issues https://discussions.qualys.com/docs/DOC-4865

curves

Testing out ECDSA certificates https://scotthelme.co.uk/ecdsa-certificates/

Howto obtain ECDSA cert (in addition to RSA) with certbot? https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687/3

Obtaining an Elliptic Curve certificate from Let’s Encrypt https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc

How to obtain an ECDSA wildcard certificate from Let’s Encrypt https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe

Using ECDSA certificates with Let’s Encrypt https://www.ericlight.com/using-ecdsa-certificates-with-lets-encrypt

other acme

ACME Client Implementations https://letsencrypt.org/docs/client-options/

ACMEv2 client written in plain C code with minimal dependencies https://github.com/ndilieto/uacme/

A pure Unix shell script implementing ACME client protocol https://acme.sh https://github.com/Neilpang/acme.sh

Testing TLS/SSL encryption https://testssl.sh/

rfcs

Algorithms and Identifiers https://tools.ietf.org/html/rfc3279

moar

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

How to convert a certificate into the appropriate format https://knowledge.digicert.com/solution/SO26449.html