diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 19:02:44 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 19:17:49 +0100 |
commit | c93443364ce23ced97a80bfda8f8bb35ec19fcdb (patch) | |
tree | 045db8181eac474416f04c23155355add920ab17 /lacme.8.md | |
parent | 647d28bf9b8da2ce47a888aad71ab5264eea6c6d (diff) |
documentation: suggest to generate private key material with genpkey(1ssl).
* Also suggest a command to generate an ECDSA key not just RSA.
* Hint at which key algorithms are supported.
Diffstat (limited to 'lacme.8.md')
-rw-r--r-- | lacme.8.md | 26 |
1 files changed, 22 insertions, 4 deletions
@@ -332,11 +332,28 @@ Valid options are: *certificate-key* -: Path the service's private key. This option is required. The - following command can be used to generate a new 4096-bits RSA key in - PEM format with mode 0600: +: Path to the service's private key. This option is required. The + [`genpkey`(1ssl)] command can be used to generate a new service RSA + key: - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/srv.key + $ install -vm0600 /dev/null /path/to/service.rsa.key + $ openssl genpkey -algorithm RSA -out /path/to/service.rsa.key + + Alternatively, for an ECDSA key using the NIST P-256 curve: + + $ install -vm0600 /dev/null /path/to/service.ecdsa.key + $ openssl genpkey -algorithm EC -out /path/to/service.ecdsa.key \ + -pkeyopt ec_paramgen_curve:P-256 \ + -pkeyopt ec_param_enc:named_curve + + `lacme` supports any key algorithm than the underlying libssl + (OpenSSL) version is able to manipulate, but the [ACME] server might + reject CSRs associated with private keys of deprecated and/or + “exotic” algorithms. + + For a dual cert setup (for instance RSA+ECDSA), duplicate the + certificate section and use a distinct *certificate-key* resp. + *certificate* (or *certificate-chain*) value for each key algorithm. *min-days* @@ -407,3 +424,4 @@ See also [`iptables`(8)]: https://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html +[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html |