Webui SSL Certificate - ECDSA certificate

xwildx

Occasional Visitor
Hi @RMerlin

It would be nice to support Let’s Encrypt ECDSA certificate on the webui.

As noted by NIST, ECDSA certificates can provide comparable security strength with smaller key sizes than RSA. As a result, conducting TLS handshakes with ECDSA certificates requires less networking and computing resources making them a good option for IoT devices that have limited storage and processing capabilities.

Let’s Encrypt accepts RSA keys that are 2048, 3072, or 4096 bits in length and P-256 or P-384 ECDSA keys.
(See https://letsencrypt.org/docs/integration-guide/ )

In the best world, it would be nice to have those 2 settings :

1. For the key type
2. For the key size (which depend on the key type)

1643660999651.png



I'm not sure if this is a really easy addon but once this is added into the GUI, I think it only needs to be added in the gencert.sh to specify openssl which certificate it need to be generated.


Let me know what you think,


Best regards,
 

SomeWhereOverTheRainBow

Part of the Furniture
Hi @RMerlin

It would be nice to support Let’s Encrypt ECDSA certificate on the webui.

As noted by NIST, ECDSA certificates can provide comparable security strength with smaller key sizes than RSA. As a result, conducting TLS handshakes with ECDSA certificates requires less networking and computing resources making them a good option for IoT devices that have limited storage and processing capabilities.

Let’s Encrypt accepts RSA keys that are 2048, 3072, or 4096 bits in length and P-256 or P-384 ECDSA keys.
(See https://letsencrypt.org/docs/integration-guide/ )

In the best world, it would be nice to have those 2 settings :

1. For the key type
2. For the key size (which depend on the key type)

View attachment 39126


I'm not sure if this is a really easy addon but once this is added into the GUI, I think it only needs to be added in the gencert.sh to specify openssl which certificate it need to be generated.


Let me know what you think,


Best regards,
If you are creative enough, you could generate it your own via a script. I do generate both an rsa and ecdsa since nginx supports running multiple. However I switched to using Zerossl.
 

RMerlin

Asuswrt-Merlin dev
Let's Encrypt implementation is closed source, and outside of my control.

Beside, you would never be able to notice the performance difference. That might make a difference on a web server that gets thousands of simultaneous connections, not on a router that gets only one single user at once.
 

xwildx

Occasional Visitor
Thank you for the quick reply,

Yes, you're absolutely right, it will not make much performance difference (since it is a router),

If it's too much work, that definitely not worth it, I thought it was 2-3 lines of codes to generate the certificate using ECDSA instead of RSA.
 

SomeWhereOverTheRainBow

Part of the Furniture
Thank you for the quick reply,

Yes, you're absolutely right, it will not make much performance difference (since it is a router),

If it's too much work, that definitely not worth it, I thought it was 2-3 lines of codes to generate the certificate using ECDSA instead of RSA.
It probably would be, but since it is in closed source code, Rmerlin has no access to do such.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top