On 2021/02/11 22:22, Theo Buehler wrote: > On Thu, Feb 11, 2021 at 08:55:55PM +0000, Stuart Henderson wrote: > > acme-client works with ecdsa certificates, but if there's no existing > > key, it has no way to tell whether you want ec or rsa so it can't > > actually generate a new ec key. (even if it did, acme-client's default > > secp384r1 isn't accepted by buypass). > > > > here are a few changes for ssl(8) that i think are helpful. > > it uses the single command that generates params and a key together, > > which is the only step needed if you're using it with acme-client, > > and then generates a csr separately (as is already done for rsa). > > > > i've included some small changes for rsa as well (not everyone wants > > such a long key as acme-client uses by default, especially if they > > are handling high connection rates). > > > > any comments? > > This makes sense to me. I like the streamlining of the ECDSA case except > for one detail: the eccert.key is no longer saved into /etc/ssl/private > (probably to avoid line wraps). It is assumed to be there in the last > command before SEE ALSO. The intent may be obvious to a user who has > read the RSA section but it may lead to errors for those who didn't. > > I don't remember the rules for SEE ALSO. Should acme-client have an Xr > there?
Both good points. I think SEE ALSOs in both directions probably make sense. (There is a remaining point that acme-client suggests it can generate an ec key itself, and has some code for this, but I don't see how it can work - I am ignoring that for now ;) Index: usr.sbin/acme-client/acme-client.1 =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v retrieving revision 1.39 diff -u -p -r1.39 acme-client.1 --- usr.sbin/acme-client/acme-client.1 2 Jan 2021 19:04:21 -0000 1.39 +++ usr.sbin/acme-client/acme-client.1 11 Feb 2021 21:36:04 -0000 @@ -130,7 +130,8 @@ is reloaded: .Sh SEE ALSO .Xr openssl 1 , .Xr acme-client.conf 5 , -.Xr httpd.conf 5 +.Xr httpd.conf 5 , +.Xr ssl 8 .Sh STANDARDS .Rs .%A R. Barnes Index: share/man/man8/ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.68 diff -u -p -r1.68 ssl.8 --- share/man/man8/ssl.8 10 May 2019 12:41:49 -0000 1.68 +++ share/man/man8/ssl.8 11 Feb 2021 21:36:04 -0000 @@ -64,6 +64,7 @@ key file is kept secure. To support HTTPS transactions in .Xr httpd 8 you will need to generate an RSA certificate. +Start by creating a private key of the desired length: .Bd -literal -offset indent # openssl genrsa -out /etc/ssl/private/server.key 4096 .Ed @@ -74,8 +75,13 @@ have to type in when starting servers # openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096 .Ed .Pp -The next step is to generate a Certificate Signing Request (CSR) which is -used to get a Certificate Authority (CA) to sign your certificate. +If you are only generating a private key to use with +.Xr acme-client 1 +(for example, with a non-default key length) +you may stop here. +.Pp +Otherwise, the next step is to generate a Certificate Signing Request (CSR) +which is used to get a Certificate Authority (CA) to sign your certificate. To do this use the command: .Bd -literal -offset indent # openssl req -new -key /etc/ssl/private/server.key \e @@ -123,25 +129,25 @@ with the certificate signed by your Cert restarting .Xr httpd 8 . .Sh GENERATING ECDSA SERVER CERTIFICATES -First, generate parameters for ECDSA keys. +First, generate a private ECDSA key. The following command will use a NIST/SECG curve over a 384-bit prime field: .Bd -literal -offset indent -# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +# openssl ecparam -name secp384r1 -genkey \e + -noout -out /etc/ssl/private/eccert.key .Ed .Pp -Once you have the ECDSA parameters generated, you can generate a -CSR and unencrypted private key using the command: -.Bd -literal -offset indent -# openssl req -nodes -newkey ec:ec-secp384r1.pem \e - -keyout /etc/ssl/private/eccert.key -new \e - -out /etc/ssl/private/eccert.csr -.Ed +Note that some Certificate Authorities will only issue certificates for +keys generated using prime256v1 parameters. .Pp -To generate an encrypted private key, you would use: +If you are only generating a private key to use with +.Xr acme-client 1 , +you may stop here. +Otherwise, the next step is to generate a Certificate Signing Request (CSR) +which is used to get a Certificate Authority (CA) to sign your certificate. +To do this use the command: .Bd -literal -offset indent -# openssl req -newkey ec:ec-secp384r1.pem \e - -keyout /etc/ssl/private/eccert.key -new \e +# openssl req -key /etc/ssl/private/eccert.key -new \e -out /etc/ssl/private/eccert.csr .Ed .Pp @@ -157,6 +163,7 @@ You can also sign the key yourself, usin -out /etc/ssl/eccert.crt .Ed .Sh SEE ALSO +.Xr acme-client 1 , .Xr openssl 1 , .Xr ssh 1 , .Xr ssl 3 ,
