Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: no way to generate RSA certificates #17744

Closed
niemeyer opened this issue Nov 2, 2016 · 8 comments
Closed

x/crypto/acme/autocert: no way to generate RSA certificates #17744

niemeyer opened this issue Nov 2, 2016 · 8 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@niemeyer
Copy link
Contributor

niemeyer commented Nov 2, 2016

Let's Encrypt supports generation of RSA certificates, and the code can be easily adapted to support them by simply changing the private key generation functions, but there's currently no way to enable that from the outside.
@bradfitz
Copy link
Contributor

bradfitz commented Nov 2, 2016

@x1ddos, what's the plan here? Didn't you recently change it away from RSA?

@bradfitz bradfitz added this to the Unreleased milestone Nov 2, 2016
@x1ddos
Copy link

x1ddos commented Nov 3, 2016

@niemeyer the initial implementation in fact used solely RSA keys. Some code reviewers have been repeatedly suggesting to switch to EC, arguing that most modern clients support EC-based certs now, which I agreed with. I haven't seen a need for RSA since then, except when forced to integrate with a legacy system (which led to things like https://go-review.googlesource.com/27750).

To accommodate broader needs, there was another proposal: generate 2 certs, RSA + EC, and provide the one compatible with what ClientHelloInfo indicates.

Would that work for your use case?

@x1ddos
Copy link

x1ddos commented Nov 3, 2016

Ah @bradfitz no, not recently. Well, quite short after autocert was released. For instance, see this: https://go-review.googlesource.com/28851.

@x1ddos x1ddos mentioned this issue Nov 3, 2016
Closed
@x1ddos
Copy link

x1ddos commented Nov 3, 2016

@bradfitz sorry, yeah I meant we did switch from RSA to EC :)
(I should slow down when reading)

@titanous
Copy link
Member

titanous commented Dec 15, 2016
edited

This is a duplicate of #17385, but I believe #17385 should be closed as this issue is clearer and has more discussion.

@bradfitz bradfitz mentioned this issue Dec 15, 2016
Closed
@bradfitz
Copy link
Contributor

@x1ddos, your two-cert proposal works. Or a simple boolean option for now too. (ForceRSA bool)

But let's do something soonish so more people can use autocert.

@x1ddos
Copy link

x1ddos commented Dec 15, 2016 via email

@gopherbot
Copy link

CL https://golang.org/cl/34570 mentions this issue.

@golang golang locked and limited conversation to collaborators Dec 16, 2017
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
acme/autocert: add an option for RSA-based certs
ac1dfab 
Currently, autocert.Manager always generates EC-based certificates.
This change adds an optional field forcing the Manager to use RSA
instead.

An alternative idea, a "double" certificate, where the Manager
presents either RSA or EC certificate based on client's compatibility,
doesn't seem to be worth the implementation time given the constant
increase in Elliptic Curve cryptography.

Fixes golang/go#17744

Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad
Reviewed-on: https://go-review.googlesource.com/34570
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
acme/autocert: add an option for RSA-based certs
8e4c0d2 
Currently, autocert.Manager always generates EC-based certificates.
This change adds an optional field forcing the Manager to use RSA
instead.

An alternative idea, a "double" certificate, where the Manager
presents either RSA or EC certificate based on client's compatibility,
doesn't seem to be worth the implementation time given the constant
increase in Elliptic Curve cryptography.

Fixes golang/go#17744

Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad
Reviewed-on: https://go-review.googlesource.com/34570
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@rsc rsc unassigned x1ddos Jun 23, 2022
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
acme/autocert: add an option for RSA-based certs
11be113 
Currently, autocert.Manager always generates EC-based certificates.
This change adds an optional field forcing the Manager to use RSA
instead.

An alternative idea, a "double" certificate, where the Manager
presents either RSA or EC certificate based on client's compatibility,
doesn't seem to be worth the implementation time given the constant
increase in Elliptic Curve cryptography.

Fixes golang/go#17744

Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad
Reviewed-on: https://go-review.googlesource.com/34570
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
acme/autocert: add an option for RSA-based certs
e47a95a 
Currently, autocert.Manager always generates EC-based certificates.
This change adds an optional field forcing the Manager to use RSA
instead.

An alternative idea, a "double" certificate, where the Manager
presents either RSA or EC certificate based on client's compatibility,
doesn't seem to be worth the implementation time given the constant
increase in Elliptic Curve cryptography.

Fixes golang/go#17744

Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad
Reviewed-on: https://go-review.googlesource.com/34570
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@bradfitz @titanous @x1ddos @niemeyer @gopherbot