acme-client works with ecdsa certificates, but if there's no existing key, it has no way to tell whether you want ec or rsa so it can't actually generate a new ec key. (even if it did, acme-client's default secp384r1 isn't accepted by buypass).
here are a few changes for ssl(8) that i think are helpful. it uses the single command that generates params and a key together, which is the only step needed if you're using it with acme-client, and then generates a csr separately (as is already done for rsa). i've included some small changes for rsa as well (not everyone wants such a long key as acme-client uses by default, especially if they are handling high connection rates). any comments? ok? Index: ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.68 diff -u -p -r1.68 ssl.8 --- ssl.8 10 May 2019 12:41:49 -0000 1.68 +++ ssl.8 11 Feb 2021 20:48:27 -0000 @@ -64,6 +64,7 @@ key file is kept secure. To support HTTPS transactions in .Xr httpd 8 you will need to generate an RSA certificate. +Start by creating a private key of the desired length: .Bd -literal -offset indent # openssl genrsa -out /etc/ssl/private/server.key 4096 .Ed @@ -74,8 +75,13 @@ have to type in when starting servers # openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096 .Ed .Pp -The next step is to generate a Certificate Signing Request (CSR) which is -used to get a Certificate Authority (CA) to sign your certificate. +If you are only generating a private key to use with +.Xr acme-client 1 +(for example, with a non-default key length) +you may stop here. +.Pp +Otherwise, the next step is to generate a Certificate Signing Request (CSR) +which is used to get a Certificate Authority (CA) to sign your certificate. To do this use the command: .Bd -literal -offset indent # openssl req -new -key /etc/ssl/private/server.key \e @@ -123,26 +129,24 @@ with the certificate signed by your Cert restarting .Xr httpd 8 . .Sh GENERATING ECDSA SERVER CERTIFICATES -First, generate parameters for ECDSA keys. +First, generate a private ECDSA key. The following command will use a NIST/SECG curve over a 384-bit prime field: .Bd -literal -offset indent -# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +# openssl ecparam -name secp384r1 -genkey -noout -out eccert.key .Ed .Pp -Once you have the ECDSA parameters generated, you can generate a -CSR and unencrypted private key using the command: -.Bd -literal -offset indent -# openssl req -nodes -newkey ec:ec-secp384r1.pem \e - -keyout /etc/ssl/private/eccert.key -new \e - -out /etc/ssl/private/eccert.csr -.Ed +Note that some Certificate Authorities will only issue certificates for +keys generated using prime256v1 parameters. .Pp -To generate an encrypted private key, you would use: +If you are only generating a private key to use with +.Xr acme-client 1 , +you may stop here. +Otherwise, the next step is to generate a Certificate Signing Request (CSR) +which is used to get a Certificate Authority (CA) to sign your certificate. +To do this use the command: .Bd -literal -offset indent -# openssl req -newkey ec:ec-secp384r1.pem \e - -keyout /etc/ssl/private/eccert.key -new \e - -out /etc/ssl/private/eccert.csr +# openssl req -key eccert.key -new -out /etc/ssl/private/eccert.csr .Ed .Pp This
