-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate RSA and ECDSA certificates #179
Comments
https://scotthelme.co.uk/hybrid-rsa-and-ecdsa-certificates-with-nginx/ Looks like nginx 1.11 dropped with dual algorithm support. |
It would be really nice to have this. For the mean time, a way to do this manually would be nice as well. |
I do it manually with
Just two different acmetool installations. |
Here's my proposal. Target files will support a new item in the satisfy:
key:
type: ecdsa If this is specified and request.key.type is not specified, request.key.type will be inherited from satisfy.key.type. Type-specific options like RSA key size and ECDSA curve can of course, as usual, be inherited from satisfy:
names:
- example.com
key:
type: ecdsa satisfy:
names:
- example.com
key:
type: rsa Of course the satisfy.key.type for one of these can be omitted depending on what you have set as your default key type in Both targets will be satisfied, but only one can become the preferred symlink target for satisfy:
names:
- example.com
key:
type: ecdsa
label: ecdsa If a targetfile has a non-"" label, it will manifest at Thoughts? |
I can't really comment on the technical implementation, but I just want two distinct certificates (one RSA, one ECDSA) for a single hostname. That obviously requires two distinct private keys and targets. If your proposal allows acmetool to reconcile both targets and hence request and keep both certificates up to date, that solution will work fine. |
The proposal seems fine to me. Just switched to acmetool from another client and would love to see this functionality added. Would there be a way to configure this from the command line too or would editing of each target file be necessary? |
Any progress on implementing this? |
This allows RSA and ECDSA targets to coexist. A satisfy: key: type: rsa|ecdsa option has also been added. Closes #179. ©! I, Hugo Landau <hlandau@devever.net>, hereby licence these changes under the ©! licence with SHA256 hash ©! fd80a26fbb3f644af1fa994134446702932968519797227e07a1368dea80f0bc.
Implemented for v0.2.1. |
Well done @hlandau... Any estimate release time regarding next version? |
@amiri27 It'll probably still be a while, but you can participate in the alpha test if you want: #305 Usage instructions: Create a targetfile, e.g.
and a targetfile e.g.
Run Future tweaks might provide a more ergonomic way to configure this than having two targetfiles, but the basic functionality is there. |
It would be nice to have an option to request both RSA and ECDSA certificates for same domain, as of now the only way to do that (as far as I figured) is to run two instances of acmetool.
The text was updated successfully, but these errors were encountered: