add support for Elliptic Curve Cryptography (ECC)

c71ca3a8 · Markus Germeier · 67a44aa4 · c71ca3a8 · c71ca3a8 · c71ca3a8
Commit c71ca3a8 authored Jan 16, 2016 by Markus Germeier
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 1 deletion

README.md README.md +4 -0

config.sh.example config.sh.example +3 -0

letsencrypt.sh letsencrypt.sh +15 -1

No files found.
--- a/README.md
+++ b/README.md
@@ -84,3 +84,7 @@ An alternative to setting the WELLKNOWN variable would be to create a symlink to
 This script also supports the new `dns-01`-type verification. Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322 for the current state of `dns-01` support.

 You need a hook script that deploys the challenge to your DNS server!
+
+### Elliptic Curve Cryptography (ECC)
+
+This script also supports certificates with Elliptic Curve public keys! Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support.
--- a/config.sh.example
+++ b/config.sh.example
@@ -54,5 +54,8 @@
 # Regenerate private keys instead of just signing new certificates on renewal (default: no)
 #PRIVATE_KEY_RENEW="no"

+# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+#KEY_ALGO=rsa
+
 # E-mail to use during the registration (default: <unset>)
 #CONTACT_EMAIL=
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -40,6 +40,7 @@ load_config() {
  KEYSIZE="4096"
  WELLKNOWN="${BASEDIR}/.acme-challenges"
  PRIVATE_KEY_RENEW="no"
+  KEY_ALGO=rsa
  OPENSSL_CNF="$(openssl version -d | cut -d'"' -f2)/openssl.cnf"
  CONTACT_EMAIL=
  LOCKFILE="${BASEDIR}/lock"
@@ -65,11 +66,13 @@ load_config() {

  [[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}"
  [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
+  [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"

  [[ "${CHALLENGETYPE}" =~ (http-01|dns-01) ]] || _exiterr "Unknown challenge type ${CHALLENGETYPE}... can not continue."
  if [[ "${CHALLENGETYPE}" = "dns-01" ]] && [[ -z "${HOOK}" ]]; then
   _exiterr "Challenge type dns-01 needs a hook script for deployment... can not continue."
  fi
+  [[ "${KEY_ALGO}" =~ ^(rsa|prime256v1|secp384r1)$ ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... can not continue."
 }

 # Initialize system
@@ -254,7 +257,10 @@ sign_domain() {
  if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
    echo " + Generating private key..."
    privkey="privkey-${timestamp}.pem"
-    _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}"
+    case "${KEY_ALGO}" in
+      rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
+      prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
+    esac
  fi

  # Generate signing request config and the actual signing request
@@ -594,6 +600,14 @@ main() {
        PARAM_CHALLENGETYPE="${1}"
        ;;

+      # PARAM_Usage: --algo (-a) rsa|prime256v1|secp384r1
+      # PARAM_Description: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+      --algo|-a)
+        shift 1
+        check_parameters "${1:-}"
+        PARAM_KEY_ALGO="${1}"
+        ;;
+
      *)
        echo "Unknown parameter detected: ${1}" >&2
        echo >&2