Generate RSA and ECDSA certificates

[farcaller]

It would be nice to have an option to request both RSA and ECDSA certificates for same domain, as of now the only way to do that (as far as I figured) is to run two instances of acmetool.

[dschaper]

https://scotthelme.co.uk/hybrid-rsa-and-ecdsa-certificates-with-nginx/

Looks like nginx 1.11 dropped with dual algorithm support.

[Thermi]

It would be really nice to have this. For the mean time, a way to do this manually would be nice as well.

[farcaller]

I do it manually with

#!/bin/sh

echo " * requesting RSA"
/bin/acmetool --batch --state=/data/rsa --hooks=/usr/lib/acme/hooks-rsa --response-file=/var/lib/acme/conf/responses/response.yaml want $@
if [ $? -ne 0 ]; then
  exit $?
fi

echo " * requesting ECDSA"
exec /bin/acmetool --batch --state=/data/ecdsa --hooks=/usr/lib/acme/hooks-ecdsa --response-file=/var/lib/acme/conf/responses/response.yaml want $@

Just two different acmetool installations.

[hlandau]

Here's my proposal.

Target files will support a new item in the satisfy section:

    satisfy:
      key:
        type: ecdsa

If this is specified and request.key.type is not specified, request.key.type will be inherited from satisfy.key.type. Type-specific options like RSA key size and ECDSA curve can of course, as usual, be inherited from conf/target. So you set your preferred RSA key size and ECDSA curve in conf/target and end up with targetfiles like this:

    satisfy:
      names:
        - example.com
      key:
        type: ecdsa

    satisfy:
      names:
        - example.com
      key:
        type: rsa

Of course the satisfy.key.type for one of these can be omitted depending on what you have set as your default key type in conf/target.

Both targets will be satisfied, but only one can become the preferred symlink target for live/example.com. This can be controlled using the rarely used priority field. What I propose is a way to extend the labels used for the symlink directory live, so that these different targets can coexist.

    satisfy:
      names:
        - example.com
      key:
        type: ecdsa
    label: ecdsa

If a targetfile has a non-"" label, it will manifest at live/example.com@label rather than live/example.com. Of course, if there are multiple targets with the same label, priority will be used as usual.

Thoughts?

[Thermi]

I can't really comment on the technical implementation, but I just want two distinct certificates (one RSA, one ECDSA) for a single hostname. That obviously requires two distinct private keys and targets. If your proposal allows acmetool to reconcile both targets and hence request and keep both certificates up to date, that solution will work fine.

[notr1ch]

The proposal seems fine to me. Just switched to acmetool from another client and would love to see this functionality added. Would there be a way to configure this from the command line too or would editing of each target file be necessary?

[amiri27]

Any progress on implementing this?

[hlandau]

Implemented for v0.2.1.

[amiri27]

Well done @hlandau... Any estimate release time regarding next version?

[hlandau]

@amiri27 It'll probably still be a while, but you can participate in the alpha test if you want: #305

Usage instructions: Create a targetfile, e.g. /var/lib/acme/desired/foo.example.com-rsa:

satisfy:
  names:
    - foo.example.com
  key:
    type: rsa
label: rsa

and a targetfile e.g. /var/lib/acme/desired/foo.example.com-ecdsa:

satisfy:
  names:
    - foo.example.com
  key:
    type: ecdsa
label: ecdsa

Run acmetool.
Now the rsa certificate is at /var/lib/acme/live/foo.example.com:rsa and the ecdsa certificate is at /var/lib/acme/live/foo.example.com:ecdsa.

Future tweaks might provide a more ergonomic way to configure this than having two targetfiles, but the basic functionality is there.