certbotを使いLet's EncryptでECDSAな証明書を作る 2022年

鍴
©ぃよじでゃ.

5平剌な Let's EncryptてECDSAど註昍曷 ゑ曷ぃぞでがのぽたECDSAど註昍曷ゑ佛りねの尐ざ靡們たぢぞ。珽圧の簠南なECDSA鍴どTLS註昍曷ゑ癹衋てがりょぅなどぢづぃり。
仉囝「かでよほ」ゑ https://gato.intaa.net およ https://intaa.net なトムィヲ冄秺軡ごずりなぁぞら、ム・リゴ・ヒジな佾ぢづぃぞ https://intaa.net ゑ判ペジデおよ「かでよほ」ね勔ぃづぃりペジデな秺じげでなどぢぞ。ぜげて、判ペジデねintaa.net註昍曷ゑ砳棃 (certbot delete)ざ、「かでよほ」ねペジデて册癹衋じりげでなざぞ。ぜねっぃてなECDSAど鍴ね註昍曷ゑ册癹衋ざぞ。

certbotてECDSAど註昍曷ゑ癹衋(斯覎)

# certbot certonly --key-type ecdsa -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Requesting a certificate for example.com
Input the webroot for example.com: (Enter 'c' to cancel): /var/www/example.com

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /usr/local/etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2023-01-16.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

げねょぅな --key-type ecdsa ゑゲポヲトな迼功じりたぐてECDSAど註昍曷か癹衋ごるり。どぉ、鍴ねゾィブたぐゑ挆宙ざぞ堳吇の P-256 (prime256v1=secp256r1) などりまぞぃ。髗むね暖叶弶庥ゑ徖ぞぎづ P-384 (secp384r1) なざぞぃねてぁるは迼功て --elliptic-curve secp384r1 ゑ挆宙じり。ぽ぀晭這のsecp256r1て艮ごぜぅ。
弶庥皃なのECDH256か鍴镶3076bitねRSAな尐ざ叉はどぃ稊庥。ECDH384たで鍴镶7680bitねRSAな尐ざ叉はどぃ稊庥てげるのフレクどとね晭這ねゥウフゴィデて佾ぅなのォ・ハ・ガリたで怜ぅ。

訬宙で曳斯ぷね彰韾

令陌內づね註昍曷ね癹衋てECDSAなじりでおP-384なざぞぃでぃぅげでてぁるは訬宙ピ゠ィリ /usr/local/etc/letsencrypt/cli.ini (FreeBSDねPKG/Portsてィヲジデ・リざぞ堳吇ねPath)な曷ぎ。cli.iniのPKG/Portsてィヲジデ・リざぞ堳吇の字圧ざどぃねて遍厺な訬宙ピ゠ィリゑ佛ぢづぃどぃどよ斯覎佛戏でどり。

key-type = ecdsa
elliptic-curve = secp384r1

訬宙ゑ曷ぃづざぽぅでぜるかテピエリデなどりねて令陌な侊ぇはRSAど鍴ゑ佛らぞぃどよ ゲポヲトて --key-type rsa ゑ挆宙じりげでなどり。RSAね鍴镶ごゑ刜朞倣ね2048bitてのどぎ4096bitなざぞぃでどるは --rsa-key-size 4096 ゑ迼功挆宙じり。
訬宙ゑ曷ぎで旡字ね註昍曷(癹衋晁なォブザユヲ挆宙どざね註昍曷)ね欠囝令陌ね曳斯な彰韾か叉ふぞむ區刅な泧愎。註昍曷癹衋晁な仗ぐぞォブザユヲの訬宙ピ゠ィリょら儩兇ざづ曳斯晁なめ遨甧ごるぽじ。っぽら --key-type ecdsa--key-type rsa ゑ仗ぐづ癹衋(曳斯)ざぞ註昍曷の欠囝令陌ね曳斯てめ訬宙ピ゠ィリね挆宙ゑ焠覕ざづ癹衋晁で吋し --key-type ecdsa ゃ --key-type rsa ゑ仗ぐぞねで吋槗な曳斯ごるぽじ。

ECDSAど註昍曷な夈曳ざづ曳斯

旡字ねRSAど註昍曷ゑぞただなECDSAど註昍曷な「曳斯」ざぞぃでぃぅげでかぁり筇。

# certbot renew --cert-name example.com --key-type ecdsa --force-renewal
げをど愞してぃぐり。

ノィフラヂト註昍曷

5,6平剌のECDSAど註昍曷ゑ晭這ねゥウフゴィデて佾甧じりどよ閱覦耄ねフヨゥサでね云揚怦ねぞむなRSAど註昍曷でねノィフラヂトゑ勦むぞか、2022平ね仉のめぅノィフラヂトなじり忄覀のどぃょぅな怜ぅ。ょぺと口ぃジポペ Android 2.xでお口ぃケ・ミ橞ねフヨゥサか靝寽忛どぎよぃ。
ECDSAどSSL註昍曷ゑ佛ぢづまり

RSAど註昍曷ゑ佛戏渇までざづ、ECDSAど註昍曷ゑ迼功癹衋じり。

# certbot certonly --key-type ecdsa --cert-name example.com-ecdsa

5平剌で毓へりで、雿覀ゑ湿ぞじゲポヲトか夙ぎ迼功ごるぞょぅてでづめ簠南などぢづづ艮ぃ愞し。

閡逢託亊: