ACME Package generating EC KEY parameters along with key.

  • I'm using the ACME package to generate EC Certificates for IPsec IKEv2 VPN.
    I know EC certificates are not supported for IPsec yet but I managed to change pfsense scripts to accept EC certificates a few months ago, and now i'm moving from self signed certs to letsencrypt certs.

    The problem rises when the certificate is generated from the acme package, openssl generates EC KEY parameters by default which prevents the IPsec daemon from reading correctly the EC private key.
    I managed to fix it by changing the following line with the -noout switch under the _createkey() function in

    ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey -noout 2>/dev/null >"$f"

    As far as i know the EC parameters are irrelevant and can be safely removed, but i would like to know if there's something that might actually break or lower security by adding the noout switch. Do you think it can be safely removed? Will the noout switch ever be added to the main code?

Log in to reply