Page MenuHomePhabricator

letsencrypt puppetization: add parallel rsa+ecdsa cert support
Closed, ResolvedPublic

Description

We should generate both RSA and ECDSA certs and use them in parallel like we do for the primary clusters (which is possible at least on our Jessie nginx hosts, and probably Jessie Apache too). This increases cipher strength (from FS+CBC to FS+AEAD) for IE11 clients on Windows versions < 10.

Event Timeline

I don't know if we're going to end up doing this in the current letsencrypt puppetisation, but it's there in certcentral.

I think at this point the route forward is certcentral and there's not much point keeping this particular ticket open. Feel free to reopen if you disagree.