Author Topic: AutoSSL Key Length  (Read 6177 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
AutoSSL Key Length
« on: July 20, 2019, 06:51:00 PM »
Hi there,

I am messing arround with CWP since a few weeks now and I like it a lot.

I have been able to correctly build Let's Encrypt certificates using AutoSSL.

But I have a question for the community, does someone managed to produce a certificate with a 4096 key length instead of 2048 which is the default ?

Thank you in advance for yours answer(s).

Regards.

Louis

Offline
***
Re: AutoSSL Key Length
« Reply #1 on: July 23, 2019, 03:30:12 AM »
It will better if you can contact them directly about this suggestion.

http://centos-webpanel.com/contact

Offline
*
Re: AutoSSL Key Length
« Reply #2 on: July 23, 2019, 09:35:06 AM »
Hi Jamshed_206,

Thank you for your answer.

I'll do it for sure as acme.sh supports the ACME 2 protocol served by LE, it enables the use of wildcard certificates, other challenge method (DNS is mandatory for wildcard) and is even compatible with API of a bunch of DNS providers, longer key length and ECDSA certificates.

Nice things could be done with the right wrappers.

Regards.

Louis

Offline
*
Re: AutoSSL Key Length
« Reply #3 on: July 29, 2019, 12:54:32 PM »
Hi all,

For those interested in playing with certificates, you can modify key length and certificates type and extensions like "must staple" modifying directly acme.sh script.

/!\ DO NOT DO THAT ON PROD UNTIL YOU'RE CONFIDENT WITH WHAT IT IMPLIES /!\

First make a copy of the original script
Code: [Select]
cp /root/.acme.sh/acme.sh /root/.acme.sh/acme.sh.bak
Then we will work on a copy using vim or another editor you like :
Code: [Select]
vim /root/.acme.sh/acme.sh
And we edit lines 36 for key length and/or certificate type and 6269 for adding "must staple" extension :
L36 :
Code: [Select]
DEFAULT_DOMAIN_KEY_LENGTH="2048"Becomes :
Code: [Select]
DEFAULT_DOMAIN_KEY_LENGTH="4096" for 4096 bits RSA
Or :
Code: [Select]
DEFAULT_DOMAIN_KEY_LENGTH="ec-384" for 384 bits ECDSA

L6269 you'll find :
Code: [Select]
  _notify_mode=""
  while [ ${#} -gt 0 ]; do
Add a line between those two ones ending with the following text :
Code: [Select]
  _notify_mode=""
  Le_OCSP_Staple="1"
  while [ ${#} -gt 0 ]; do
It will add "must staple" to your certificate.

A lot of other things could done like that like wildcard certificates, dns check (needed for wildcard) but for those 2 the SSL certificates manager behavior could not be predicted.