How to create ECDSA SSL Let's Encrypt Certificate

7 Oct 2017

Let's generate ECDSA Let's Encrypt Certificate (for website as example) in 3 steps:

1. Generating an ECDSA Key

openssl ecparam -out private.key -name prime256v1 -genkey

Chosen prime256v1 curve. You can choose curve what you want. You can view the list of curves supported by your version of openssl:

openssl ecparam -list_curves

2. Generating the Certficate Signing Request (CSR):

openssl req -new -sha256 -key private.key \
-subj "/" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\,")) \
-outform der -out csr.der

3. Generating cetificate signed by Let's Encrypt Certificate Authority:

certbot certonly --agree-tos --non-interactive \
--webroot -w /var/www/ \
-d -d \
--csr /etc/nginx/ssl/ \
--cert-path /etc/nginx/ssl/ \
--chain-path /etc/nginx/ssl/ \
--fullchain-path /etc/nginx/ssl/

Done! 😉

An example of Nginx config:

ssl_trusted_certificate /etc/letsencrypt/live/;
ssl_certificate_key     /etc/letsencrypt/live/;
ssl_certificate         /etc/letsencrypt/live/;

ssl_certificate_key     /etc/nginx/ssl/;
ssl_certificate         /etc/nginx/ssl/; 

Yes, Nginx allow to use different types of certificates and automatically choose necessary one.

And just one note: for Nginx, you need also add your private key to generated by Let's Encrypt private key: 

cd /etc/nginx/ssl/
cat private.key >> privkey-ecdsa.pem

Useful links: