Dual RSA/ECDSA Certificates in Apache 2.4

2016-02-28 Update: I’ve written a new post about moving to ECDSA certificates using Apache & Lets Encrypt.

2016-01-31 Update: Thanks to Dan Mahoney for some feedback. I made some minor tweaks, mainly – replaced 521-bit ECC key support from example commands, tweaked the cipher list used in Apache.

2015-07-27 Update: Thanks to Matthias Scheler for letting me know that secp521r1 has been removed as a supported curve from Google Chrome. You should use secp256r1 or secp384r1 if you want to use ECDSA with newer Google Chrome clients.

Today, I experimented with trying to get a domain-validated ECDSA certificate for this blog. It appears that Comodo PositiveSSL is one certificate authority that supports this. This was good for me as you can get these certificates fairly cheap (around $5 per cert). This was a somewhat interesting process and there weren’t many written resources around to help me, so here goes the write up.

OpenSSL

I did all the following with OpenSSL 1.0.2c.

  1. Work out what forms of elliptic curves OpenSSL supported (I’ve included only the NIST secp curves here):

    > openssl ecparam -list_curves
    secp224r1 : NIST/SECG curve over a 224 bit prime field
    secp384r1 : NIST/SECG curve over a 384 bit prime field
  2. Generate the private key.

    > openssl ecparam -out key.pem -name secp384r1 -genkey
  3. Generate the certificate signing request.

    > openssl req -new -key key.pem -out cert.req

Comodo PositiveSSL

Once I had the CSR, submitted as per usual and followed the processes – nothing looked different at all vs. the RSA process. When the signed certificate arrived, it looked like this:
blog.joelj.org ECC certificate

Looks good!

There’s only one thing to note for future – when you build up the certificate chain for Apache, you normally keep the site certificate and intermediary certificates in a single file. The files that Comodo email you out when you request a ECDSA certificate are actually the intermediaries for RSA certificates. After some googling, I found this page which had a version of the ECC intermediaries stored.

Here they are in a non-binary format in case anyone wants them:

COMODO ECC Domain Validation Secure Server CA


-----BEGIN CERTIFICATE-----
MIIDnTCCAyKgAwIBAgIQUQYB5jtQZzxV7k4Z2jBMqDAKBggqhkjOPQQDAzCBhTEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT
IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMzEzMDAw
MDAwWhcNMjkwMzEyMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy
ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N
T0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBFQ0MgRG9tYWluIFZhbGlk
YXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BIg2jdgJVPWaKXk+JD06oiTxihgKVH3tQCza8LqO2YT1Rd03cJEkrLoU61FoIN3S
SFUAXW9E7ggci/lVXySaVIOjggFlMIIBYTAfBgNVHSMEGDAWgBR1cacZSBm8nZ3q
QUfflMRId5nTeTAdBgNVHQ4EFgQUu/oI4L9U7lr9FqQ1AgmppMjs/UswDgYDVR0P
AQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwTAYDVR0f
BEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPRUNDQ2Vy
dGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUF
BzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9FQ0NBZGRUcnVzdENB
LmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMAoGCCqG
SM49BAMDA2kAMGYCMQDtilgEuIgqZMub1nOMLJwPVr3Lrs/A4RVYuImPsVNTtWG6
5FL7j6YooeQtlSxIViACMQDvavtMsSKuUzwaH3x8vVhGiljleoI0iloIE64Adby0
id6I7ObgYgAsmupHtaSvojI=
-----END CERTIFICATE-----

COMODO ECC Certification Authority


-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIQQ1ICP/qokB8Tn+P05cFETjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MHYwEAYHKoZI
zj0CAQYFK4EEACIDYgAEA0d7L3XJghWF+3XkkRbUq2KZ9T5SCwbOQQB/l+EKJDwd
AQTuPdKNCZcM4HXk+vt3iir1A2BLNosWIxatCXH0SvQoULT+iBxuP2wvLwlZW6Vb
CzOZ4sM9iflqLO+y0wbpo4H+MIH7MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
veAky1QaMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwSQYDVR0f
BEIwQDA+oDygOoY4aHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAB
hh5odHRwOi8vb2NzcC50cnVzdC1wcm92aWRlci5jb20wDQYJKoZIhvcNAQEMBQAD
ggEBAB3H+i5AtlwFSw+8VTYBWOBTBT1k+6zZpTi4pyE7r5VbvkjI00PUIWxB7Qkt
nHMAcZyuIXN+/46NuY5YkI78jG12yAA6nyCmLX3MF/3NmJYyCRrJZfwE67SaCnjl
lztSjxLCdJcBns/hbWjYk7mcJPuWJ0gBnOqUP3CYQbNzUTcp6PYBerknuCRR2RFo
1KaFpzanpZa6gPim/a5thCCuNXZzQg+HCezF3OeTAyIal+6ailFhp5cmHunudVEI
kAWvL54TnJM/ev/m6+loeYyv4Lb67psSE/5FjNJ80zXrIRKT/mZ1JioVhCb3ZsnL
jbsJQdQYr7GzEPUQyp2aDrV1aug=
-----END CERTIFICATE-----

Apache Configuration

The next step was to configure Apache 2.4 to run in a dual RSA/ECDSA certificate configuration. This is actually quite simple – repeat the commands for the certificate/key twice within the same virtual host block (note: you should copy the intermediate certs and any DH parameters into the cert file):


#ECDSA
SSLCertificateFile /etc/apache2/certs/ecdsa.cert.crt
SSLCertificateKeyFile /etc/apache2/certs/ecdsa.key.pem

#RSA
SSLCertificateFile /etc/apache2/certs/rsa.cert.crt
SSLCertificateKeyFile /etc/apache2/certs/rsa.key.pem

For the next section, I had the SSL ciphers suite priority configured as follows:

SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!DES:!SSLv2:!MD5:!SSLV3:!3DES:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

I also encountered an issue with dual cert setups when you’re running Apache 2.4 combined with OpenSSL 1.0.1 (like on a Ubuntu LTS server). It seems the ability to have two completely different certificate chains for a dual RSA/ECDSA certificates requires OpenSSL 1.0.2 or higher. My workaround for this was to send all 4 RSA and ECDSA intermederies for BOTH the RSA and ECDSA certificate. (That means it works fine with OpenSSL 1.0.1f, but it means you’re always sending two extra certs you don’t need.)

Qualys

Next step, was to run the Qualys SSL test to see how different browsers responded with a pure RSA only configuration vs pure ECDSA vs dual RSA/ECDSA:

ECC Screenshot 2
(Note: This screenshot is a little old, the new cipher suite above is a little more lenient.)

Looks good enough to keep!

8 thoughts on “Dual RSA/ECDSA Certificates in Apache 2.4”

  1. Hello,

    I just did a similar experiment but using LibreSSL (on CentOS 7) opposed to OpenSSL.

    I did not set up apache as dual cert, part of my experiment was to see how well the server would do with the emulated clients in the Qualsys SSL Labs test with just the ECDSA key and interestingly, there were no failures (other than failures I already get with an RSA private key).

    I’m not sure that Dual RSA/ECDSA is actually needed. Maybe for very old clients that don’t support the ECDHE cipher suites, but I don’t support them anyway.

    An interesting note on the ecparam -list_curves command – when using the stock openssl that ships with CentOS 7, it gives me a very slim selection of curves:

    openssl ecparam -list_curves
    secp384r1 : NIST/SECG curve over a 384 bit prime field
    secp521r1 : NIST/SECG curve over a 521 bit prime field
    prime256v1: X9.62/SECG curve over a 256 bit prime field

    When using libressl 2.2.3 – the output is more than a screens worth of data. I *think* CentOS OpenSSL is so limited due to patents on curves but I am not sure. I ended up going with secp384r1 because it seems to have fairly broad client support, and probably doesn’t have patent issues, but I would be very interested in reading articles that discuss the merits of the various curves.

    My current site is just a test site but I suspect as my various RSA private keys expire, I’ll be replacing them with ECDSA without using dual cert, as it appears only clients too old to even support things like NSI extension are a problem.

    Mail servers, I’ve been warned that with them to keep using RSA for awhile as a lot of MTAs don’t support ECDSA keys yet.

Leave a Reply

Your email address will not be published. Required fields are marked *