• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Input Plesk / Let's Encrypt > Support for ECDSA Certificates

learning_curve

learning_curve

Silver Pleskian
The current Let's Encrypt Extension in Plesk, works well. Easy to use and for many, attractive because there's no CLI input required in order to generate certificates / automatic renewals etc. However, currently, if using this Plesk Extension, it's only possible to generate RSA certificates. Let's Encrypt can generate RSA or ECDSA certificates already and are now busy adding further extended ECDSA support. So another Plesk (Mike) user has added THIS Plesk Suggestion to allow a choice between RSA and ECDSA certificates when signing via the Let's Encrypt Plesk Extension. The benefits of ECDSA are already well known and Mike has included some of them in his suggestion. Please visit the suggestion and add your support / comments to it ;)

FWIW You can already generate Let's Encrypt ECDSA certificates (>> example) without using the Let's Encrypt Plesk Extension. You can also, already generate Let's Encrypt RSA AND ECDSA certificates (i.e. two certificates) if you want to cover nearly all browser options. Why? Because Apache and NginX later releases, allow recognition / switching between the two certificates, but that's not possible to setup in Plesk when using the default, configuration certificates yet... (i.e. it's a single / RSA certificate recognition only at present). There's a comment on the Plesk Suggestion that explains more about a possible change to this too
 
A quick 'bump' to add more interest and therefore some more votes on here: Plesk Suggestion

ECDSA certificates really are MUCH better than RSA certificates. You'll find lots of reasons why if you research online and the main reason (if you're not using them yet) is because they are not supported within Plesk (yet) ;)

The Plesk suggestion above has comments which explain in more detail. Worth remembering that outside of the default plesk setup, you can use ECDSA AND RSA Cetifcates at the same time, which then covers a very wide range of browsers / demands
 
another 'bump' DO IT!

And think about using it for postfix etc. ;-) as default!

You can use RSA & ECDSA Parallel!

# TLS RSA public / private keys
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.cer
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
# TLS ECDSA public / private keys
smtpd_tls_eccert_file = /etc/ssl/certs/mail.domain.tld_ecc.cer
smtpd_tls_eckey_file = /etc/ssl/private/mail.domain.tld_ecc.key

bythe way... Perfect Forward Secrecy Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd is not that new :-D

for DOVECOT there is Different certificates per IP and protocol at SSL/DovecotConfiguration - Dovecot Wiki
 
Last edited:
Hotte512 said:
another 'bump' DO IT!
Click to expand...
Yep, it's worth a bump / another Plesk please do it request ;)
Hotte512 said:
And think about using it for postfix etc. ;-) as default!
Click to expand...
Can't speak for others but we have and we would.
How easy that is to implement, exclusively within Plesk, depends on Plesk's approach to making this happen
Hotte512 said:
You can use RSA & ECDSA Parallel!
# TLS RSA public / private keys
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.cer
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
# TLS ECDSA public / private keys
smtpd_tls_eccert_file = /etc/ssl/certs/mail.domain.tld_ecc.cer
smtpd_tls_eckey_file = /etc/ssl/private/mail.domain.tld_ecc.key
Click to expand...
Yep, we pointed this out (but without the illustrative example code that you have posted) in our own opening post. Some other Plesk users may still not realise how useful this can / will be o_O and therefore have not voted for it - yet :eek: It needs changes by Plesk, to Plesk's standard templates if RSA & ECDSA are to be used at the same time. Otherwise, custom templates will still need to be created by the Plesk user to make this happen. If anybody is reading this but hasn't voted yet, then the link to do so, is in the opening post of this thread
Hotte512 said:
bythe way... Perfect Forward Secrecy Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd is not that new :-D
Click to expand...
Slightly off-topic subject for this thread but yes, there's this source and quite a few other sources for informative and helpful PFS data. Plesk provides various cipher setups by default, but you can change all of these anyway (as we have). The current main limitation, is that sw-cp-server (i.e. Plesk itself) is still only TLSv1.2 but it seems that's soon to be corrected > Other Thread
Hotte512 said:
for DOVECOT there is Different certificates per IP and protocol at SSL/DovecotConfiguration - Dovecot Wiki
Click to expand...
Yep, that's the same discussion point as Postfix re: the level of Plesk's approach etc
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
Lrnt
Resolved Use same Let's Encrypt certificate on new server without regenerating a new one
Replies
4
Views
419
AYamshanov
AYamshanov
J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
345
joell
J
D
Question NGINX Unit on server under plesk
Replies
4
Views
342
trialotto
T
W
Resolved SSL certificate error (multiple certificates)
Replies
9
Views
3K
webolot
W
Back
Top