ECDSA cryptography support for ACME accounts and for host keys

CertMgr supports Elliptic Curve Digital Signature Algorithm (ECDSA) using the NIST P-256 and NIST P-384 curves for ACME accounts and for TLS 1.2 host keys (keyring files) generated from either the Let's Encrypt® CA or a third-party CA.

ECDSA keys are much shorter than RSA keys of equivalent strength and generally offer improved performance over their RSA equivalents.
  • A 256 bit (NIST P-256) ECDSA key is generally considered to be equivalent in strength to a 3072 bit RSA key or a 128 bit AES key.
  • A 384 bit (NIST P-384) ECDSA key is generally considered to be equivalent to a 7680 bit RSA key or a 192 bit AES key.
  • A 512+ bit ECDSA key (NIST P-521) is generally considered to be equivalent to a 15360 bit RSA key or a 256 bit AES key.

The Let's Encrypt certificate authority does not currently support NIST P-521. However the Domino TLS stack and the CertMgr backend TLS supports NIST P-521 for TLS host keys (keyring files).

A Domino server configured to use an ECDSA keyring file via CertMgr or kyrtool supports the following two TLS 1.2 cipher suites, which are supported by most current browsers and devices:
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

TLS versions before 1.2 do not support ECDSA. If configured, ECDSA host keys are used for all internet protocols, not just HTTPS.

Why not always use ECDSA instead of RSA? Some within the security industry are concerned about a lack of transparency in how the NIST curves were selected, and so prefer using RSA despite the performance penalty.

ACME accounts

The default setting for new ACME account keys is set to ECDSA NIST P-384 in certstore.ntf. RSA account keys are supported for use with ACME-based CAs that do not support ECDSA account keys. Once you have a registered an ACME account document with a Key ID (KID) and private key, you must create a new ACME account document to switch between ECDSA and RSA.

TLS host keys

The default configuration for new host keys generated by the Let's Encrypt CA or a third-party CA remains 4096 bit RSA. You can change key types and key sizes via key rollover. For more information, see Requesting a key rollover.