Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME Package generating EC KEY parameters along with key.

    Scheduled Pinned Locked Moved
    ACME
    1
    1
    458
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      semalb
      last edited by

      I'm using the ACME package to generate EC Certificates for IPsec IKEv2 VPN.
      I know EC certificates are not supported for IPsec yet but I managed to change pfsense scripts to accept EC certificates a few months ago, and now i'm moving from self signed certs to letsencrypt certs.

      The problem rises when the certificate is generated from the acme package, openssl generates EC KEY parameters by default which prevents the IPsec daemon from reading correctly the EC private key.
      I managed to fix it by changing the following line with the -noout switch under the _createkey() function in acme.sh.

      ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey -noout 2>/dev/null >"$f"

      As far as i know the EC parameters are irrelevant and can be safely removed, but i would like to know if there's something that might actually break or lower security by adding the noout switch. Do you think it can be safely removed? Will the noout switch ever be added to the main code?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.