On Thu, Feb 11, 2021 at 08:55:55PM +0000, Stuart Henderson wrote:
> acme-client works with ecdsa certificates, but if there's no existing
> key, it has no way to tell whether you want ec or rsa so it can't
> actually generate a new ec key. (even if it did, acme-client's default
> secp384r1 isn't accepted by buypass).
> 
> here are a few changes for ssl(8) that i think are helpful.
> it uses the single command that generates params and a key together,
> which is the only step needed if you're using it with acme-client,
> and then generates a csr separately (as is already done for rsa).
> 
> i've included some small changes for rsa as well (not everyone wants
> such a long key as acme-client uses by default, especially if they
> are handling high connection rates).
> 
> any comments?

This makes sense to me. I like the streamlining of the ECDSA case except
for one detail: the eccert.key is no longer saved into /etc/ssl/private
(probably to avoid line wraps). It is assumed to be there in the last
command before SEE ALSO.  The intent may be obvious to a user who has
read the RSA section but it may lead to errors for those who didn't.

I don't remember the rules for SEE ALSO. Should acme-client have an Xr
there?

Reply via email to