Feature #9843

allow to generate cert/csr with ECDSA key

Added by Viktor Gurov about 1 year ago. Updated 12 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


Add ability to generate certificates/CSRs with ECDSA keys.

Screenshot from 2019-10-23 11-47-52.png (39.4 KB) Screenshot from 2019-10-23 11-47-52.png interface screenshot Viktor Gurov, 10/23/2019 03:49 AM

Associated revisions

Revision c3cda38e (diff)
Added by Jim Pingle 12 months ago

Change default ECSDA curve to prime256v1. Issue #9843

Previous default was brainpool, but brainpool curves are not (widely?)
supported by browsers and were deprecated by IETF for TLS v1.3

Revision cffcf9bf (diff)
Added by Jim Pingle 12 months ago

GUI improvements for ECDSA certificate handling

  • Make central functions to check and test ECDSA compatibility. Issue #9843
  • Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
  • Do the same for IPsec, which implements #4991
  • Add a check for key type when generating ipsec.secrets to allow ECDSA certs to work in IPsec for issue #4991

Note that as of this moment, the following curves are known to be compatible:
HTTPS (GUI, Captive Portal): prime256v1, secp384r1
IPsec: prime256v1, secp384r1, secp521r1

Results may vary in other areas which are not yet well-tested, and in packages.


#2 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Pull Request Review
  • Assignee set to Jim Pingle

#3 Updated by Jim Pingle about 1 year ago

  • Target version set to 2.5.0

#4 Updated by Jim Pingle about 1 year ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

PR has been merged

#5 Updated by Viktor Gurov 12 months ago

Jim Pingle wrote:

PR has been merged

Tested on 2.5.0.a.20191109.1723


#6 Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF