View Issue Details

IDProjectCategoryView StatusLast Update
0001202Main CAcert Websitecertificate issuingpublic2018-02-10 10:09
Reporterequinox Assigned To 
Status confirmedResolutionopen 
PlatformallOSallOS Versionall
Summary0001202: Support for Elliptic Curve Certificates
DescriptionAs some experts are talking about the possibility that RSA and classic DH may be unsure to use in 4 to 5 years [1][2], it might be nice to have support for ECDSA certificates. I tried to sign a CSR using ECDSA some days ago but the system never returned a certificate... i assume it got ignored because ECC is not support by now.

[1] ..
[2] ..
Additional Informationsame as 0001238;
have same experience using elliptic keys that are fine for Mozilla and others.
My signing request, on basis of key alg. secp384r1, still worked 6 months ago. But now asking for renewal the check_weak_key.php says that the key algorithm is not recognized and so signing done because of security. This is the default after only some RSA tests.
Now have to redo all security of the webserver because cacert doesn't know DH and elliptic keys anymore.
Requests were generated with latest openssl. Please restore this functionality!
Tagsfuture, new feature
Reviewed by
Test Instructions


has duplicate 0001238 confirmed Problems with signing server certs with elliptic curve crypto 



2013-08-24 12:01

reporter   ~0004246

I can confirm this. I remember from a short conversation with BenBE about this that OpenSSL just has to be upgraded. A quick look at cacert-devel a82f507306a9eba8a9f5dff82d2091dbd29edf71 confirms this.


2014-09-25 22:35

reporter   ~0005031

Hm, I don't understand - updates some text files...?

Also, when I try to get a EC CSR signed, it's not "not returning a certificate", but it's printing out an error here, without much detail though:

1) openssl ecparam -name prime256v1 -out foo_ecparam.pem
2) openssl req -newkey ec:foo_ecparam.pem -sha512 -out foo_ec.csr \
          -keyout foo_ec.key -nodes \
          -subj "/C=AB/ST=Foo/L=Bar/O=Baz/"
3) Go to and paste foo_ec.csr gives:

   The keys you supplied use an unrecognized algorithm.
   For security reasons these keys can not be signed by CAcert.


2015-10-08 21:10

reporter   ~0005464

This still seems to be an issue. Are there any plans for this?


2016-01-19 00:04

reporter   ~0005493

I cant do it as well. trying with p521 key for tinfoil hat reasons (replacing a 16k rsa key)


2016-02-02 20:20

updater   ~0005494

There are plans for support for this.

The comment in is related to DSA.

For ECDSA (ECC) to work, the appropriate checks need to be implemented to verify the provided ECDSA key is sane. These checks are currently still completely missing. Providing a patch for these will help greatly.


2017-04-07 22:10

reporter   ~0005544

Interesting read about ECC


2017-10-16 12:48

reporter   ~0005558

awesome, thanks travm1

Issue History

Date Modified Username Field Change
2013-08-16 16:03 equinox New Issue
2013-08-20 20:30 BenBE Status new => confirmed
2013-08-24 12:01 ott Note Added: 0004246
2014-08-10 10:22 senora Severity feature => major
2014-08-10 10:22 senora Additional Information Updated
2014-09-25 22:26 ckujau Relationship added has duplicate 0001238
2014-09-25 22:35 ckujau Note Added: 0005031
2015-10-08 21:10 klondike Note Added: 0005464
2016-01-19 00:04 My1 Note Added: 0005493
2016-02-02 20:20 BenBE Note Added: 0005494
2017-04-07 22:10 travm1 Note Added: 0005544
2017-10-16 12:48 thalamus Note Added: 0005558
2018-02-10 10:09 L10N Tag Attached: future
2018-02-10 10:09 L10N Tag Attached: new feature