From c71ca3a8b15da55307871ee92a2fb61d08e4c5aa Mon Sep 17 00:00:00 2001 From: Markus Germeier Date: Sat, 16 Jan 2016 18:55:36 +0100 Subject: [PATCH] add support for Elliptic Curve Cryptography (ECC) --- README.md | 4 ++++ config.sh.example | 3 +++ letsencrypt.sh | 16 +++++++++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 271c1ab..91700e9 100644 --- a/README.md +++ b/README.md @@ -84,3 +84,7 @@ An alternative to setting the WELLKNOWN variable would be to create a symlink to This script also supports the new `dns-01`-type verification. Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322 for the current state of `dns-01` support. You need a hook script that deploys the challenge to your DNS server! + +### Elliptic Curve Cryptography (ECC) + +This script also supports certificates with Elliptic Curve public keys! Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support. diff --git a/config.sh.example b/config.sh.example index 24eea52..7c9f394 100644 --- a/config.sh.example +++ b/config.sh.example @@ -54,5 +54,8 @@ # Regenerate private keys instead of just signing new certificates on renewal (default: no) #PRIVATE_KEY_RENEW="no" +# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 +#KEY_ALGO=rsa + # E-mail to use during the registration (default: ) #CONTACT_EMAIL= diff --git a/letsencrypt.sh b/letsencrypt.sh index 6657f39..41250f4 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -40,6 +40,7 @@ load_config() { KEYSIZE="4096" WELLKNOWN="${BASEDIR}/.acme-challenges" PRIVATE_KEY_RENEW="no" + KEY_ALGO=rsa OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf" CONTACT_EMAIL= LOCKFILE="${BASEDIR}/lock" @@ -65,11 +66,13 @@ load_config() { [[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}" [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}" + [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}" [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue." if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then _exiterr "Challenge type dns-01 needs a hook script for deployment... can not continue." fi + [[ "${KEY_ALGO}" =~ ^(rsa|prime256v1|secp384r1)$ ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... can not continue." } # Initialize system @@ -254,7 +257,10 @@ sign_domain() { if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then echo " + Generating private key..." privkey="privkey-${timestamp}.pem" - _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" + case "${KEY_ALGO}" in + rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";; + prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";; + esac fi # Generate signing request config and the actual signing request @@ -594,6 +600,14 @@ main() { PARAM_CHALLENGETYPE="${1}" ;; + # PARAM_Usage: --algo (-a) rsa|prime256v1|secp384r1 + # PARAM_Description: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 + --algo|-a) + shift 1 + check_parameters "${1:-}" + PARAM_KEY_ALGO="${1}" + ;; + *) echo "Unknown parameter detected: ${1}" >&2 echo >&2 -- 2.39.5