diff options
Diffstat (limited to 'lacme.8.md')
-rw-r--r-- | lacme.8.md | 26 |
1 files changed, 22 insertions, 4 deletions
@@ -332,11 +332,28 @@ Valid options are: *certificate-key* -: Path the service's private key. This option is required. The - following command can be used to generate a new 4096-bits RSA key in - PEM format with mode 0600: +: Path to the service's private key. This option is required. The + [`genpkey`(1ssl)] command can be used to generate a new service RSA + key: - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/srv.key + $ install -vm0600 /dev/null /path/to/service.rsa.key + $ openssl genpkey -algorithm RSA -out /path/to/service.rsa.key + + Alternatively, for an ECDSA key using the NIST P-256 curve: + + $ install -vm0600 /dev/null /path/to/service.ecdsa.key + $ openssl genpkey -algorithm EC -out /path/to/service.ecdsa.key \ + -pkeyopt ec_paramgen_curve:P-256 \ + -pkeyopt ec_param_enc:named_curve + + `lacme` supports any key algorithm than the underlying libssl + (OpenSSL) version is able to manipulate, but the [ACME] server might + reject CSRs associated with private keys of deprecated and/or + “exotic” algorithms. + + For a dual cert setup (for instance RSA+ECDSA), duplicate the + certificate section and use a distinct *certificate-key* resp. + *certificate* (or *certificate-chain*) value for each key algorithm. *min-days* @@ -407,3 +424,4 @@ See also [`iptables`(8)]: https://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html +[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html |