XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Installation: expecting an rsa key, any plans to support elliptic curve keys?

    Scheduled Pinned Locked Moved Xen Orchestra
    10 Posts 7 Posters 1.7k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      josh-hemphill
      last edited by

      Does anyone know if there's plans to support ed25519 and other elliptic curve TLS keys? Especially now that many public Certificate Authorities are moving to them.
      I wasn't following any official documentation, so I can't complain about running into this limitation unexpectedly, though I'd be interested to know if it is well documented already, if not, I'd be happy to submit documentation PRs.

      julien-fJ 1 Reply Last reply Reply Quote 0
      • olivierlambertO Online
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        @julien-f does it ring any bell?

        1 Reply Last reply Reply Quote 0
        • julien-fJ Offline
          julien-f Vates 🪐 Co-Founder XO Team @josh-hemphill
          last edited by

          @josh-hemphill For the time being, xo-server generates certificates using RSA 2048 keys, but you can use your own certificate with other algos like P-384 ECDSA.

          jivanpalJ 1 Reply Last reply Reply Quote 0
          • jivanpalJ Offline
            jivanpal @julien-f
            last edited by jivanpal

            @julien-f Running XCP-ng 8.3, I encounter this error when running xe host-server-certificate-install to install a P-256 ECDSA cert, which was generated by Let's Encrypt using their default settings:

            The provided key uses an unsupported algorithm.
algorithm_oid: p256

            Any ideas on how to resolve this?

            EDIT: Woops, I didn't realise this was the XO forum section.

            1 Reply Last reply Reply Quote 0
            • olivierlambertO Online
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              For the XCP-ng question, pinging @Team-OS-Platform-Release

              1 Reply Last reply Reply Quote 0
              • stormiS Offline
                stormi Vates 🪐 XCP-ng Team
                last edited by

                That's actually a question for @Team-XAPI-Network

                1 Reply Last reply Reply Quote 0
                • gthvn1G Offline
                  gthvn1 Vates 🪐 XCP-ng Team
                  last edited by gthvn1

                  @jivanpal said in Installation: expecting an rsa key, any plans to support elliptic curve keys?:

                  uses an unsupported algorithm

                  The only supported algorithms are RSA 2048 and 4096. I'm not sure if there are good reason to not support ECDSA. I remembers some discussions about this, will try to find them.

                  gthvn1G jivanpalJ 2 Replies Last reply Reply Quote 0
                  • gthvn1G Offline
                    gthvn1 Vates 🪐 XCP-ng Team @gthvn1
                    last edited by

                    Oh no in fact the discussion that I remember (just find it) was about why not accept SHA 384: https://github.com/xapi-project/xen-api/pull/6467

                    lindig opened this pull request in xapi-project/xen-api

                    closed CP-307865 accept SHA512 for custom server certs #6467

                    1 Reply Last reply Reply Quote 0
                    • jivanpalJ Offline
                      jivanpal @gthvn1
                      last edited by

                      @gthvn1 Well that's unfortunate... I've generated an RSA-2048 cert with Certbot and it works, but it would be nice to have support for ECC.

                      A 1 Reply Last reply Reply Quote 0
                      • A Offline
                        andriy.sultanov Vates 🪐 XAPI & Network Team @jivanpal
                        last edited by

                        @jivanpal We do not currently have any plans to support elliptic curve keys - this is a very sensitive topic given different governmental security requirements around the world.

                        Note that Let's Encrypt recommends a dual setup for this exact reason: "Our recommendation is to serve a dual-cert config, offering an RSA certificate by default, and a (much smaller) ECDSA certificate to those clients that indicate support." (https://letsencrypt.org/docs/integration-guide/)

                        1 Reply Last reply Reply Quote 2

                        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                        With your input, this post could be even better 💗

                        Register Login
                        • First post
                          Last post