Feature #9843
allow to generate cert/csr with ECDSA key
Start date:
10/23/2019
Due date:
% Done:
100%
Estimated time:
Release Notes:
Default
Description
Add ability to generate certificates/CSRs with ECDSA keys.
Associated revisions
GUI improvements for ECDSA certificate handling
- Make central functions to check and test ECDSA compatibility. Issue #9843
- Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
- Do the same for IPsec, which implements #4991
- Add a check for key type when generating ipsec.secrets to allow ECDSA certs to work in IPsec for issue #4991
Note that as of this moment, the following curves are known to be compatible:
HTTPS (GUI, Captive Portal): prime256v1, secp384r1
IPsec: prime256v1, secp384r1, secp521r1
Results may vary in other areas which are not yet well-tested, and in packages.
History
#1
Updated by Viktor Gurov over 1 year ago
#2
Updated by Jim Pingle over 1 year ago
- Status changed from New to Pull Request Review
- Assignee set to Jim Pingle
#3
Updated by Jim Pingle over 1 year ago
- Target version set to 2.5.0
#4
Updated by Jim Pingle over 1 year ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
PR has been merged
#5
Updated by Viktor Gurov over 1 year ago
Jim Pingle wrote:
PR has been merged
Tested on 2.5.0.a.20191109.1723
Resolved
#6
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to Resolved
Change default ECSDA curve to prime256v1. Issue #9843
Previous default was brainpool, but brainpool curves are not (widely?)
supported by browsers and were deprecated by IETF for TLS v1.3