AutoACME icon indicating copy to clipboard operation
AutoACME copied to clipboard
verified publisher icon ridercz

Obtaining an Elliptic Curve certificate from Let's Encrypt

Open pik-256 opened this issue 4 years ago • 3 comments

Is there an option to obtain an EC certificate from LE with autoacme? All ciphers used by IIS with RSA certs (at least under Windows 2012 r2) are considered weak by Qualys SSL Labs. IIS does not use EC ciphers without EC certificates. BTW there is an undocumented option "KeyAlgorithm": "RS256" in a config file, but I do not know if and how we could use it.

pik-256 avatar Nov 18 '21 07:11 pik-256

Under the hood AutoACME uses Certes for LE interaction. I haven't checked the code, but using ES256, ES384 or ES512 as key algorithm may actually do the trick, see https://github.com/fszlin/certes/blob/main/src/Certes/KeyAlgorithm.cs

avonwyss avatar Nov 19 '21 00:11 avonwyss

Good hint. I can confirm: setting KeyAlgorithm to ES256 allowed to obtain an EC certificate from LE. Both when adding new host and when renewing an old RSA certificate. Subsequently, IIS (Win 2012 r2) offers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) cipfer with this certificate, which SSL Labs did not consider to be weak. However, to have Grade A in SSL Labs, you don't need to use EC Certificates but disable TLS 1.0 and 1.1.

pik-256 avatar Nov 19 '21 23:11 pik-256

Thank you very much for your feedback! I'll add this to the documentation.

avonwyss avatar Nov 20 '21 01:11 avonwyss