How to replace Let's Encrypt RSA 4096 bits with ECC 256 bits?

How to replace Discourse LetsEncrypt Certificate from RSA 4096 bits to ECC 256 bits?
I want this permanent on my install, even after upgrade of discourse, is that possible?

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per What is RSA, DSA and ECC? ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.

4 Likes

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.

3 Likes

I hope this has nothing to do with the installs where the reverse proxy handles ssl!

Additional Info: ECDSA: The digital signature algorithm of a better internet

All Cloudflare powered website under Free Plan are using ECC.

At least maybe give us an option :).

1 Like

That’s an empty set. I’d bet on it. :beers:

3 Likes

It is an option you just have to figure out how to write the template and mix it in

Is it enough by editing line 59 & 63 on this file?
And then rebuild discourse?

Editing line 59 & 63 on /templates/web.letsencrypt.ssl.template.yml didn’t work.
My code:

Maybe it will work if I force to renew/generate new cert?
What is the command under Discourse?
Thanks!