starred/AutoACME

Fork 0

mirror of https://github.com/ridercz/AutoACME.git synced 2026-04-25 07:05:55 +03:00

[GH-ISSUE #51] Obtaining an Elliptic Curve certificate from Let's Encrypt #39

New issue

Closed

opened 2026-02-26 21:31:25 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 21:31:25 +03:00

Owner

Originally created by @pik-256 on GitHub (Nov 18, 2021).
Original GitHub issue: https://github.com/ridercz/AutoACME/issues/51

Is there an option to obtain an EC certificate from LE with autoacme? All ciphers used by IIS with RSA certs (at least under Windows 2012 r2) are considered weak by Qualys SSL Labs. IIS does not use EC ciphers without EC certificates.
BTW there is an undocumented option "KeyAlgorithm": "RS256" in a config file, but I do not know if and how we could use it.

Originally created by @pik-256 on GitHub (Nov 18, 2021). Original GitHub issue: https://github.com/ridercz/AutoACME/issues/51 Is there an option to obtain an EC certificate from LE with autoacme? All ciphers used by IIS with RSA certs (at least under Windows 2012 r2) are considered weak by Qualys SSL Labs. IIS does not use EC ciphers without EC certificates. BTW there is an undocumented option "KeyAlgorithm": "RS256" in a config file, but I do not know if and how we could use it.

kerem closed this issue

2026-02-26 21:31:25 +03:00

kerem commented

2026-02-26 21:31:26 +03:00

Author

Owner

@avonwyss commented on GitHub (Nov 19, 2021):

Under the hood AutoACME uses Certes for LE interaction. I haven't checked the code, but using ES256, ES384 or ES512 as key algorithm may actually do the trick, see https://github.com/fszlin/certes/blob/main/src/Certes/KeyAlgorithm.cs

@avonwyss commented on GitHub (Nov 19, 2021): Under the hood AutoACME uses [Certes](https://github.com/fszlin/certes) for LE interaction. I haven't checked the code, but using ES256, ES384 or ES512 as key algorithm may actually do the trick, see https://github.com/fszlin/certes/blob/main/src/Certes/KeyAlgorithm.cs

kerem commented

2026-02-26 21:31:26 +03:00

Author

Owner

@pik-256 commented on GitHub (Nov 19, 2021):

Good hint. I can confirm: setting KeyAlgorithm to ES256 allowed to obtain an EC certificate from LE. Both when adding new host and when renewing an old RSA certificate. Subsequently, IIS (Win 2012 r2) offers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) cipher with this certificate, which SSL Labs did not consider to be weak. However, to have Grade A in SSL Labs, you don't need to use EC Certificates but disable TLS 1.0 and 1.1.

@pik-256 commented on GitHub (Nov 19, 2021): Good hint. I can confirm: setting KeyAlgorithm to ES256 allowed to obtain an EC certificate from LE. Both when adding new host and when renewing an old RSA certificate. Subsequently, IIS (Win 2012 r2) offers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) cipher with this certificate, which SSL Labs did not consider to be weak. However, to have Grade A in SSL Labs, you don't need to use EC Certificates but disable TLS 1.0 and 1.1.

kerem commented

2026-02-26 21:31:27 +03:00

Author

Owner

@avonwyss commented on GitHub (Nov 20, 2021):

Thank you very much for your feedback! I'll add this to the documentation.

@avonwyss commented on GitHub (Nov 20, 2021): Thank you very much for your feedback! I'll add this to the documentation.

No labels

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AutoACME#39

No description provided.

Rows
Columns