Create a ECDSA certificate with Let’s Encrypt

//Create a ECDSA certificate with Let’s Encrypt
1/52/53/54/55/5 (3 votes, moyenne: 5,00 sur 5)
Loading...

Create a ECDSA certificate with Let’s Encrypt

Hi everyone,

After a twitter chat with @PunKeel, I’ve learned that Let’s Encrypt now provide ECDSA certificate. I’m interested by that because ECDSA are much less resources consuming than « old » RSA certificate.

This is better for your server and your visitors.

 

However, it’s kind of complicated. Official client are nor documented, nor fully and easily compatible with ECDSA certificate generation. Braces yourselves.

First of all, download the Let’s Encrypt client and launch it:

cd /etc
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

 

Now; for the rest of the how-to, please change abyssproject.net and www.abyssproject.net by your domain name.

Create necessary folders:

mkdir /etc/letsencrypt/live-ecdsa/
mkdir /etc/letsencrypt/live-ecdsa/abyssproject.net
cd /etc/letsencrypt/live-ecdsa/abyssproject.net
mkdir letmp

 

Wait, I’m using secp384r1 curve in this example, she should adapt to every need. You can check all available curves on OpenSSL with this command:

openssl ecparam -list_curves

 

Now, create the private key for your certificate and indicate the curve wanted:

openssl ecparam -genkey -name secp384r1 > privkey-p384.pem

 

Now create your CSR (please indicate your own domain):

openssl req -new -sha256 -key privkey-p384.pem -subj "/CN=abyssproject.net" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:abyssproject.net,DNS:www.abyssproject.net")) -outform der -out csr-p384.der

 

Go into the temp folder « letmp » and create your Let’s Encrypt certificate:

cd letmp
/etc/letsencrypt/letsencrypt-auto certonly -a webroot --email mail@abyssproject.net --webroot-path /www/abyssproject.net/ --csr /etc/letsencrypt/live-ecdsa/abyssproject.net/csr-p384.der --renew-by-default --agree-tos
cat 0001* > /etc/letsencrypt/live-ecdsa/abyssproject.net/chain.pem

 

If it works, simply enter the configuration in Nginx 🙂

ssl_certificate /etc/letsencrypt/live-ecdsa/abyssproject.net/chain.pem;
ssl_certificate_key /etc/letsencrypt/live-ecdsa/abyssproject.net/privkey-p384.pem;

 

Just reload the webserver after that:

service nginx reload

 

And now, you are using a ECDSA certificate (Test tool) 🙂

certificate-ecdsa

By |2016-02-13T00:08:02+00:0012 février 2016|GNU/Linux|2 Comments

About the Author:

Diplômé d'un BTS SIO SISR et travaillant actuellement en Suisse, je suis passionné par tout ce qui touche à l'informatique et la musique hard rock et métal depuis ma plus tendre enfance. Je suis le créateur et l'unique rédacteur d'Abyss Project, ce blog qui me sert de bloc-notes public en quelque sorte.

2
Poster un Commentaire

avatar
1 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
Nicolas SimondBen Recent comment authors

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

Plus récents Plus anciens Populaires
Ben
Invité

Hello, thanks for this useful tutorial, what is necessary to regenerate certificate (extends to 3 months)