Let's generate ECDSA Let's Encrypt Certificate (for website funtime.kiev.ua as example) in 3 steps:
1. Generating an ECDSA Key
openssl ecparam -out private.key -name prime256v1 -genkey
Chosen prime256v1 curve. You can choose curve what you want. You can view the list of curves supported by your version of openssl:
openssl ecparam -list_curves
2. Generating the Certficate Signing Request (CSR):
openssl req -new -sha256 -key private.key \ -subj "/CN=funtime.kiev.ua" \ -reqexts SAN \ -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:funtime.kiev.ua,DNS:www.funtime.kiev.ua")) \ -outform der -out csr.der
3. Generating cetificate signed by Let's Encrypt Certificate Authority:
certbot certonly --agree-tos --non-interactive \ --webroot -w /var/www/funtime.kiev.ua/public \ -d funtime.kiev.ua -d www.funtime.kiev.ua \ --csr /etc/nginx/ssl/funtime.kiev.ua/csr.der \ --cert-path /etc/nginx/ssl/funtime.kiev.ua/privkey-ecdsa.pem \ --chain-path /etc/nginx/ssl/funtime.kiev.ua/chain-ecdsa.pem \ --fullchain-path /etc/nginx/ssl/funtime.kiev.ua/fullchain-ecdsa.pem
Done! 😉
An example of Nginx config:
ssl_trusted_certificate /etc/letsencrypt/live/funtime.kiev.ua/chain.pem; ssl_certificate_key   /etc/letsencrypt/live/funtime.kiev.ua/privkey.pem; ssl_certificate     /etc/letsencrypt/live/funtime.kiev.ua/fullchain.pem; ssl_certificate_key   /etc/nginx/ssl/funtime.kiev.ua/privkey-ecdsa.pem; ssl_certificate     /etc/nginx/ssl/funtime.kiev.ua/fullchain-ecdsa.pem;
Yes, Nginx allow to use different types of certificates and automatically choose necessary one.
And just one note: for Nginx, you need also add your private key to generated by Let's Encrypt private key:
cd /etc/nginx/ssl/funtime.kiev.ua cat private.key >> privkey-ecdsa.pem