Input Plesk / Let's Encrypt > Support for ECDSA Certificates

[learning_curve]

The current Let's Encrypt Extension in Plesk, works well. Easy to use and for many, attractive because there's no CLI input required in order to generate certificates / automatic renewals etc. However, currently, if using this Plesk Extension, it's only possible to generate RSA certificates. Let's Encrypt can generate RSA or ECDSA certificates already and are now busy adding further extended ECDSA support. So another Plesk (Mike) user has added THIS Plesk Suggestion to allow a choice between RSA and ECDSA certificates when signing via the Let's Encrypt Plesk Extension. The benefits of ECDSA are already well known and Mike has included some of them in his suggestion. Please visit the suggestion and add your support / comments to it

FWIW You can already generate Let's Encrypt ECDSA certificates (>> example) without using the Let's Encrypt Plesk Extension. You can also, already generate Let's Encrypt RSA AND ECDSA certificates (i.e. two certificates) if you want to cover nearly all browser options. Why? Because Apache and NginX later releases, allow recognition / switching between the two certificates, but that's not possible to setup in Plesk when using the default, configuration certificates yet... (i.e. it's a single / RSA certificate recognition only at present). There's a comment on the Plesk Suggestion that explains more about a possible change to this too

 

[learning_curve]

A quick 'bump' to add more interest and therefore some more votes on here: Plesk Suggestion

ECDSA certificates really are MUCH better than RSA certificates. You'll find lots of reasons why if you research online and the main reason (if you're not using them yet) is because they are not supported within Plesk (yet)

The Plesk suggestion above has comments which explain in more detail. Worth remembering that outside of the default plesk setup, you can use ECDSA AND RSA Cetifcates at the same time, which then covers a very wide range of browsers / demands

 

[Hotte512]

another 'bump' DO IT!

And think about using it for postfix etc. ;-) as default!

You can use RSA & ECDSA Parallel!

# TLS RSA public / private keys
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.cer
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
# TLS ECDSA public / private keys
smtpd_tls_eccert_file = /etc/ssl/certs/mail.domain.tld_ecc.cer
smtpd_tls_eckey_file = /etc/ssl/private/mail.domain.tld_ecc.key

bythe way... Perfect Forward Secrecy Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd is not that new :-D

for DOVECOT there is Different certificates per IP and protocol at SSL/DovecotConfiguration - Dovecot Wiki

 

[learning_curve]

another 'bump' DO IT!

Yep, it's worth a bump / another Plesk please do it request

And think about using it for postfix etc. ;-) as default!

Can't speak for others but we have and we would.
How easy that is to implement, exclusively within Plesk, depends on Plesk's approach to making this happen

You can use RSA & ECDSA Parallel!
# TLS RSA public / private keys
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.cer
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
# TLS ECDSA public / private keys
smtpd_tls_eccert_file = /etc/ssl/certs/mail.domain.tld_ecc.cer
smtpd_tls_eckey_file = /etc/ssl/private/mail.domain.tld_ecc.key

Yep, we pointed this out (but without the illustrative example code that you have posted) in our own opening post. Some other Plesk users may still not realise how useful this can / will be and therefore have not voted for it - yet It needs changes by Plesk, to Plesk's standard templates if RSA & ECDSA are to be used at the same time. Otherwise, custom templates will still need to be created by the Plesk user to make this happen. If anybody is reading this but hasn't voted yet, then the link to do so, is in the opening post of this thread

bythe way... Perfect Forward Secrecy Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd is not that new :-D

Slightly off-topic subject for this thread but yes, there's this source and quite a few other sources for informative and helpful PFS data. Plesk provides various cipher setups by default, but you can change all of these anyway (as we have). The current main limitation, is that sw-cp-server (i.e. Plesk itself) is still only TLSv1.2 but it seems that's soon to be corrected > Other Thread

for DOVECOT there is Different certificates per IP and protocol at SSL/DovecotConfiguration - Dovecot Wiki

Yep, that's the same discussion point as Postfix re: the level of Plesk's approach etc