add support for Elliptic Curve Cryptography (ECC)

diff --git a/README.md b/README.md
index 271c1ab2ff7f20111778e2cfeb9f69835caf2747..91700e95de0b79cedfebd66e76794e9b23ddea2c 100644 (file)
--- a/README.md
+++ b/README.md
@@ -84,3 +84,7 @@ An alternative to setting the WELLKNOWN variable would be to create a symlink to
 This script also supports the new `dns-01`-type verification. Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322 for the current state of `dns-01` support.
 
 You need a hook script that deploys the challenge to your DNS server!
+
+### Elliptic Curve Cryptography (ECC)
+
+This script also supports certificates with Elliptic Curve public keys! Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support.

diff --git a/config.sh.example b/config.sh.example
index 24eea5216767eed51952e3a9268c35439fa4f3ac..7c9f39418fabf392ac57c3869a4fddca766553b5 100644 (file)
--- a/config.sh.example
+++ b/config.sh.example
@@ -54,5 +54,8 @@
 # Regenerate private keys instead of just signing new certificates on renewal (default: no)
 #PRIVATE_KEY_RENEW="no"
 
+# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+#KEY_ALGO=rsa
+
 # E-mail to use during the registration (default: <unset>)
 #CONTACT_EMAIL=

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 6657f39173b90057c4edf512eb16e5dce4598069..41250f4eaa15c879442c940ad2eef97c363ca374 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -40,6 +40,7 @@ load_config() {
   KEYSIZE="4096"
   WELLKNOWN="${BASEDIR}/.acme-challenges"
   PRIVATE_KEY_RENEW="no"
+  KEY_ALGO=rsa
   OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf"
   CONTACT_EMAIL=
   LOCKFILE="${BASEDIR}/lock"
@@ -65,11 +66,13 @@ load_config() {
 
   [[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}"
   [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
+  [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
 
   [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue."
   if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
    _exiterr "Challenge type dns-01 needs a hook script for deployment... can not continue."
   fi
+  [[ "${KEY_ALGO}" =~ ^(rsa|prime256v1|secp384r1)$ ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... can not continue."
 }
 
 # Initialize system
@@ -254,7 +257,10 @@ sign_domain() {
   if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
     echo " + Generating private key..."
     privkey="privkey-${timestamp}.pem"
-    _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}"
+    case "${KEY_ALGO}" in
+      rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
+      prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
+    esac
   fi
 
   # Generate signing request config and the actual signing request
@@ -594,6 +600,14 @@ main() {
         PARAM_CHALLENGETYPE="${1}"
         ;;
 
+      # PARAM_Usage: --algo (-a) rsa|prime256v1|secp384r1
+      # PARAM_Description: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+      --algo|-a)
+        shift 1
+        check_parameters "${1:-}"
+        PARAM_KEY_ALGO="${1}"
+        ;;
+
       *)
         echo "Unknown parameter detected: ${1}" >&2
         echo >&2