Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple certificate key types at once (RSA + ECDSA) #109

Open
JayH5 opened this issue Feb 14, 2017 · 1 comment
Open

Support multiple certificate key types at once (RSA + ECDSA) #109

JayH5 opened this issue Feb 14, 2017 · 1 comment
Labels
enhancement
Milestone
Post 1.0.0

Comments

@JayH5
Copy link
Contributor

JayH5 commented Feb 14, 2017

This is perhaps a "nice to have" but the infrastructure is there for it so I thought I'd mention it.

In HAProxy 1.7, it's possible to specify multiple certificates for a single domain with different key types. So one certificate can have an RSA key, and another an ECDSA key: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt

Similar functionality is available in Nginx 1.11.0+ (although 1.11 is the mainline release and not yet "stable"): http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

Let's Encrypt has supported signing ECDSA certificates for a year now, albeit with an RSA intermediary. ECDSA intermediary support is coming before the end of March: https://letsencrypt.org/upcoming-features/

It's probably possible to achieve this currently with 2 instances of the txacme service, one with generate_key set to generate ECDSA keys (and maybe some kind of custom certificate store shared between them). But this is likely a bit complicated.

I'm interested in supporting ECDSA keys for TLS as we need to support low-power/bandwidth devices at my work and I'm interested in the potential benefits of the smaller key size afforded by ECDSA.
@mithrandi mithrandi added this to the Post 1.0.0 milestone Feb 14, 2017
@mithrandi
Copy link
Contributor

mithrandi commented Feb 14, 2017
edited
Loading

Things to figure out here:

  • Storage: if the RSA and ECDSA key are issued by the same intermediary, it's not that complicated to parse out the two different cert/key pairs, and the intermediary chain will otherwise be the same. However, in the future this will likely not be the case, so we need to support fully distinct issuing chains, which means conflating them is probably a bad idea.
  • Supporting multiple keys in the txacme endpoint; this is mostly a txsni thing, Support dual ECDSA/RSA certs glyph/txsni#6 already exists to track support for this.
  • Ratelimits; I think Let's Encrypt counts issuing an RSA cert and issuing an ECDSA cert (for the same names) equivalently to issuing two identical RSA certs (ie. this counts towards the "Duplicate certificate" limit for reissues). There isn't necessarily anything txacme needs to or can do about this, but it may warrant some attention in the documentation around this feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Post 1.0.0
Development

No branches or pull requests
2 participants
@mithrandi @JayH5