On Thu, Feb 11, 2021 at 08:55:55PM +0000, Stuart Henderson wrote: > acme-client works with ecdsa certificates, but if there's no existing > key, it has no way to tell whether you want ec or rsa so it can't > actually generate a new ec key. (even if it did, acme-client's default > secp384r1 isn't accepted by buypass). > > here are a few changes for ssl(8) that i think are helpful. > it uses the single command that generates params and a key together, > which is the only step needed if you're using it with acme-client, > and then generates a csr separately (as is already done for rsa). > > i've included some small changes for rsa as well (not everyone wants > such a long key as acme-client uses by default, especially if they > are handling high connection rates). > > any comments?
This makes sense to me. I like the streamlining of the ECDSA case except for one detail: the eccert.key is no longer saved into /etc/ssl/private (probably to avoid line wraps). It is assumed to be there in the last command before SEE ALSO. The intent may be obvious to a user who has read the RSA section but it may lead to errors for those who didn't. I don't remember the rules for SEE ALSO. Should acme-client have an Xr there?