Elliptic Curve Crypto & LetsEncrypt

Submitted by Admin on Sun, 21/06/2020 - 10:53

Source, with thanks to Bob Cromwell.

Noting that large key sizes like 4096-bit may impact the server's performance, and are not recommended. So P-256 (AKA secp256r1, & prime256v1) should probably be used for ECC, and anything more than 2048-bit RSA is considered bloat... Until at least around 2030...

Summary:

Initial cert issue with 4096-bit RSA keys:certbot --apache certonly --cert-name abispa.waspa.org.za -d abispa.waspa.org.za --rsa-key-size 4096

(Yes, that key-size came from the OP. Don't do it.)

Generate keys and CSR:

mkdir ~/certbot-renewal

cd ~/certbot-renewal

## Nope: ~openssl ecparam -genkey -name secp384r1 | openssl ec -out ecc-privkey.pem~

openssl ecparam -genkey -name prime256v1 | openssl ec -out ecc-privkey.pem

Before generating the CSR or Certificate Signing Request, change the OpenSSL configuration to enable multiple names:

nano /etc/ssl/openssl.cnf

Find and uncomment the entry:

req_extensions = v3_req

Search, and add a line below [ v3_req ]:

subjectAltName = @alt_names

Add a new stanza at the end of the file:

[alt_names]
DNS.1 = abispa.waspa.org.za
DNS.2 = ab.waspa.org.za

Now generate the CSR:

## Nope: openssl req -new -sha256 -key ecc-privkey.pem -nodes -outform pem -out ecc-csr.pem

But that doesn't work for SANs. This does:

openssl req -new -sha256 \
    -key ecc-privkey.pem 
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:abispa.waspa.org.za,DNS:ab.waspa.org.za")) \
    -nodes -outform pem \
    -out ecc-csr.pem

Source: stackexchange

Note: This link

Now ask Let's Encrypt to generate a certificate, and pass it our CSR:

certbot --apache certonly --cert-name abispa.waspa.org.za -d abispa.waspa.org.za -d ab.waspa.org.za --email ops@ff.co.za --csr ecc-csr.pem --agree-tos

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Performing the following challenges:
http-01 challenge for ab.waspa.org.za
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /root/ecc/0001_cert.pem
Cert chain written to 9
Cert chain written to 10

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /root/ecc/0003_chain.pem
   Your cert will expire on 2020-09-20

 

This gives us three new files in the local directory:

0000_cert.pem    =    The certificate itself
0000_chain.pem    =    The signing chain
0001_chain.pem    =    The full chain including our certificate
 

Storing Both Certificates

Rename the existing "archive" and "live" directories rsa-archive and rsa-live.
Recreate the symbolic links in rsa-live/abispa.waspa.org.za to point to the relocated "archive" files.
Edit renewal/abispa.waspa.org.za.conf and make corresponding changes to the paths.
 

Verify that renewal still works:

certbot renew --dry-run

Next, create new directories:

mkdir -p /etc/letsencrypt/ecc-archive/abispa.waspa.org.za
mkdir -p /etc/letsencrypt/ecc-live/abispa.waspa.org.za

Move the ECC files into the ecc-archive area, changing the names as required.
Create the symbolic links under ecc-live.
Rename the RSA files in csr and keys, and move the corresponding ECC files into those areas.

(Note: The OP made an additional ecc-domain.conf file in renewal, but I skipped that step and everything worked. But when I backtracked and did do it, it failed. The bottom line is that it is unnecessary as certbot will not renew the ECC certificate anyway. And the next page in the book provides the script around.)
 

root@abispa /etc/letsencrypt $ tree -f
.
├── ./accounts
│   ├── ./accounts/acme-staging-v02.api.letsencrypt.org
│   │   └── ./accounts/acme-staging-v02.api.letsencrypt.org/directory
│   │       └── ./accounts/acme-staging-v02.api.letsencrypt.org/directory/4463f86726f238750fa09788d6201b7f
│   │           ├── ./accounts/acme-staging-v02.api.letsencrypt.org/directory/4463f86726f238750fa09788d6201b7f/meta.json
│   │           ├── ./accounts/acme-staging-v02.api.letsencrypt.org/directory/4463f86726f238750fa09788d6201b7f/private_key.json
│   │           └── ./accounts/acme-staging-v02.api.letsencrypt.org/directory/4463f86726f238750fa09788d6201b7f/regr.json
│   └── ./accounts/acme-v02.api.letsencrypt.org
│       └── ./accounts/acme-v02.api.letsencrypt.org/directory
│           └── ./accounts/acme-v02.api.letsencrypt.org/directory/fea27690d5f5b8d7c15e61a63f51d741
│               ├── ./accounts/acme-v02.api.letsencrypt.org/directory/fea27690d5f5b8d7c15e61a63f51d741/meta.json
│               ├── ./accounts/acme-v02.api.letsencrypt.org/directory/fea27690d5f5b8d7c15e61a63f51d741/private_key.json
│               └── ./accounts/acme-v02.api.letsencrypt.org/directory/fea27690d5f5b8d7c15e61a63f51d741/regr.json
├── ./cli.ini
├── ./csr
│   ├── ./csr/0000_csr-certbot.pem
│   ├── ./csr/0001_csr-certbot.pem
│   └── ./csr/ecc-csr.pem
├── ./ecc-archive
│   └── ./ecc-archive/abispa.waspa.org.za
│       ├── ./ecc-archive/abispa.waspa.org.za/cert1.pem
│       ├── ./ecc-archive/abispa.waspa.org.za/cert.pem
│       ├── ./ecc-archive/abispa.waspa.org.za/chain1.pem
│       ├── ./ecc-archive/abispa.waspa.org.za/chain.pem
│       ├── ./ecc-archive/abispa.waspa.org.za/fullchain1.pem
│       ├── ./ecc-archive/abispa.waspa.org.za/fullchain.pem
│       └── ./ecc-archive/abispa.waspa.org.za/privkey1.pem
├── ./ecc-live
│   └── ./ecc-live/abispa.waspa.org.za
│       ├── ./ecc-live/abispa.waspa.org.za/cert.pem -> ../../ecc-archive/abispa.waspa.org.za/cert.pem
│       ├── ./ecc-live/abispa.waspa.org.za/chain.pem -> ../../ecc-archive/abispa.waspa.org.za/chain.pem
│       ├── ./ecc-live/abispa.waspa.org.za/fullchain.pem -> ../../ecc-archive/abispa.waspa.org.za/fullchain.pem
│       └── ./ecc-live/abispa.waspa.org.za/privkey.pem -> ../../ecc-archive/abispa.waspa.org.za/privkey1.pem
├── ./keys
│   ├── ./keys/0000_key-certbot.pem
│   ├── ./keys/0001_key-certbot.pem
│   └── ./keys/ecc-privkey.pem
├── ./options-ssl-apache.conf
├── ./renewal
│   └── ./renewal/abispa.waspa.org.za.conf
├── ./renewal-hooks
│   ├── ./renewal-hooks/deploy
│   ├── ./renewal-hooks/post
│   └── ./renewal-hooks/pre
├── ./rsa-archive
│   └── ./rsa-archive/abispa.waspa.org.za
│       ├── ./rsa-archive/abispa.waspa.org.za/cert1.pem
│       ├── ./rsa-archive/abispa.waspa.org.za/cert2.pem
│       ├── ./rsa-archive/abispa.waspa.org.za/chain1.pem
│       ├── ./rsa-archive/abispa.waspa.org.za/chain2.pem
│       ├── ./rsa-archive/abispa.waspa.org.za/fullchain1.pem
│       ├── ./rsa-archive/abispa.waspa.org.za/fullchain2.pem
│       ├── ./rsa-archive/abispa.waspa.org.za/privkey1.pem
│       └── ./rsa-archive/abispa.waspa.org.za/privkey2.pem
└── ./rsa-live
    ├── ./rsa-live/abispa.waspa.org.za
    │   ├── ./rsa-live/abispa.waspa.org.za/cert.pem -> ../../rsa-archive/abispa.waspa.org.za/cert2.pem
    │   ├── ./rsa-live/abispa.waspa.org.za/chain.pem -> ../../rsa-archive/abispa.waspa.org.za/chain2.pem
    │   ├── ./rsa-live/abispa.waspa.org.za/fullchain.pem -> ../../rsa-archive/abispa.waspa.org.za/fullchain2.pem
    │   ├── ./rsa-live/abispa.waspa.org.za/privkey.pem -> ../../rsa-archive/abispa.waspa.org.za/privkey2.pem
    │   └── ./rsa-live/abispa.waspa.org.za/README
    └── ./rsa-live/README

22 directories, 40 files

root@abispa /etc/letsencrypt $ cat renewal/abispa.waspa.org.za.conf 
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/rsa-archive/abispa.waspa.org.za
cert = /etc/letsencrypt/rsa-live/abispa.waspa.org.za/cert.pem
privkey = /etc/letsencrypt/rsa-live/abispa.waspa.org.za/privkey.pem
chain = /etc/letsencrypt/rsa-live/abispa.waspa.org.za/chain.pem
fullchain = /etc/letsencrypt/rsa-live/abispa.waspa.org.za/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fea27690d5f5b8d7c15e61a63f51d741
rsa_key_size = 4096
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

 

Category