How to create ECDSA SSL Let's Encrypt Certificate

Let's generate ECDSA Let's Encrypt Certificate (for website funtime.kiev.ua as example) in 3 steps:

1. Generating an ECDSA Key

openssl ecparam -out private.key -name prime256v1 -genkey

Chosen prime256v1 curve. You can choose curve what you want. You can view the list of curves supported by your version of openssl:

openssl ecparam -list_curves

2. Generating the Certficate Signing Request (CSR):

openssl req -new -sha256 -key private.key \
-subj "/CN=funtime.kiev.ua" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:funtime.kiev.ua,DNS:www.funtime.kiev.ua")) \
-outform der -out csr.der

3. Generating cetificate signed by Let's Encrypt Certificate Authority:

certbot certonly --agree-tos --non-interactive \
--webroot -w /var/www/funtime.kiev.ua/public \
-d funtime.kiev.ua -d www.funtime.kiev.ua \
--csr /etc/nginx/ssl/funtime.kiev.ua/csr.der \
--cert-path /etc/nginx/ssl/funtime.kiev.ua/privkey-ecdsa.pem \
--chain-path /etc/nginx/ssl/funtime.kiev.ua/chain-ecdsa.pem \
--fullchain-path /etc/nginx/ssl/funtime.kiev.ua/fullchain-ecdsa.pem

Done! 😉

An example of Nginx config:

ssl_trusted_certificate /etc/letsencrypt/live/funtime.kiev.ua/chain.pem;
ssl_certificate_key     /etc/letsencrypt/live/funtime.kiev.ua/privkey.pem;
ssl_certificate         /etc/letsencrypt/live/funtime.kiev.ua/fullchain.pem;

ssl_certificate_key     /etc/nginx/ssl/funtime.kiev.ua/privkey-ecdsa.pem;
ssl_certificate         /etc/nginx/ssl/funtime.kiev.ua/fullchain-ecdsa.pem; 

Yes, Nginx allow to use different types of certificates and automatically choose necessary one.

And just one note: for Nginx, you need also add your private key to generated by Let's Encrypt private key: 

cd /etc/nginx/ssl/funtime.kiev.ua
cat private.key >> privkey-ecdsa.pem

Useful links: