Core: system/trust: Support EC keys

Created on 12 Nov 2018 · 2Comments · Source: opnsense/core

Currently all internal (Sub)CAs can only use RSA private keys.
It would be great to have support for EC as well and switch between the two modes during CA creation on the local OPNsense device.

When creating internal certificates on the device, the respective key type of the (Sub)CA shall be considered. E.g. only offer to choose EC key type when the (Sub)CA is actually of that type.

EC type (Sub)CAs can also handle RSA keys but I do not think it makes sense to let people mix it. Eventually that means that the certificate keys shall always match the CA key type.

help wanted

Source

jpawlowski

Most helpful comment

I submitted PR #3649 as a start to this feature request.

It would be great to have support for EC as well and switch between the two modes during CA creation on the local OPNsense device.

In this first draft, I added the option to select a key type of RSA or Elliptic Curve during the CA creation process on system_camanager.php. If you select a key type of RSA, you are asked to select a key length. If you select Elliptic Curve, you are asked to select a curve.

Screen Shot 2019-08-15 at 8 43 59 PM

Screen Shot 2019-08-15 at 8 44 08 PM

When creating internal certificates on the device, the respective key type of the (Sub)CA shall be considered. E.g. only offer to choose EC key type when the (Sub)CA is actually of that type.

EC type (Sub)CAs can also handle RSA keys but I do not think it makes sense to let people mix it. Eventually that means that the certificate keys shall always match the CA key type.

This is not implemented, and not sure if it should be. Looking for feedback.

johnaheadley on 16 Aug 2019

❤3

All 2 comments