XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Installation: expecting an rsa key, any plans to support elliptic curve keys?

    Scheduled Pinned Locked Moved Xen Orchestra
    9 Posts 6 Posters 273 Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      josh-hemphill
      last edited by

      Does anyone know if there's plans to support ed25519 and other elliptic curve TLS keys? Especially now that many public Certificate Authorities are moving to them.
      I wasn't following any official documentation, so I can't complain about running into this limitation unexpectedly, though I'd be interested to know if it is well documented already, if not, I'd be happy to submit documentation PRs.

      julien-fJ 1 Reply Last reply Reply Quote 0
      • olivierlambertO Online
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        @julien-f does it ring any bell?

        1 Reply Last reply Reply Quote 0
        • julien-fJ Offline
          julien-f Vates 🪐 Co-Founder XO Team @josh-hemphill
          last edited by

          @josh-hemphill For the time being, xo-server generates certificates using RSA 2048 keys, but you can use your own certificate with other algos like P-384 ECDSA.

          jivanpalJ 1 Reply Last reply Reply Quote 0
          • jivanpalJ Online
            jivanpal @julien-f
            last edited by jivanpal

            @julien-f Running XCP-ng 8.3, I encounter this error when running xe host-server-certificate-install to install a P-256 ECDSA cert, which was generated by Let's Encrypt using their default settings:

            The provided key uses an unsupported algorithm.
algorithm_oid: p256

            Any ideas on how to resolve this?

            EDIT: Woops, I didn't realise this was the XO forum section.

            1 Reply Last reply Reply Quote 0
            • olivierlambertO Online
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              For the XCP-ng question, pinging @Team-OS-Platform-Release

              1 Reply Last reply Reply Quote 0
              • stormiS Online
                stormi Vates 🪐 XCP-ng Team
                last edited by

                That's actually a question for @Team-XAPI-Network

                1 Reply Last reply Reply Quote 0
                • gthvn1G Offline
                  gthvn1 Vates 🪐 XCP-ng Team
                  last edited by gthvn1

                  @jivanpal said in Installation: expecting an rsa key, any plans to support elliptic curve keys?:

                  uses an unsupported algorithm

                  The only supported algorithms are RSA 2048 and 4096. I'm not sure if there are good reason to not support ECDSA. I remembers some discussions about this, will try to find them.

                  gthvn1G jivanpalJ 2 Replies Last reply Reply Quote 0
                  • gthvn1G Offline
                    gthvn1 Vates 🪐 XCP-ng Team @gthvn1
                    last edited by

                    Oh no in fact the discussion that I remember (just find it) was about why not accept SHA 384: https://github.com/xapi-project/xen-api/pull/6467

                    lindig opened this pull request in xapi-project/xen-api

                    closed CP-307865 accept SHA512 for custom server certs #6467

                    1 Reply Last reply Reply Quote 0
                    • jivanpalJ Online
                      jivanpal @gthvn1
                      last edited by

                      @gthvn1 Well that's unfortunate... I've generated an RSA-2048 cert with Certbot and it works, but it would be nice to have support for ECC.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post