Search code examples
lets-encryptecdsa

How can I persist values of KeyUsage and BasicConstraints in the ECDSA based certificates from LetsEncrypt?

I am trying to set up a CA and I need a root certificate for this CA. This root certificate has to be signed by a public CA and the signing algorithm has to be ECDSA with prime256v1 curve.

I am following this issue on LetsEncryp forum. However, I am using a separate utility for generating the keys and CSR. This utility helps me generate ECDSA keys and CSR successfully. Following is the CSR that's generated:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=MyOrg, L=Bengaluru, ST=Karnataka, C=IN, CN=mydomain.in
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    <value>
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
        <value>

So, basically I am getting correct values for KeyUsage and BasicConstraints in the extension.

Now, for the next step, I am using the following command from my ec2 instance:

certbot certonly -d <mydomain> --server https://acme-v02.api.letsencrypt.org/directory --csr <csr_generated_above> --cert-name <mydomain>

Using this command I'm able to get a certificate signed by LetsEncrypt along with the certificate chain. However, in the certificate that is generated, I get different values for KeyUsage and BasicConstraints:

Owner: CN=<my_domain>
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: <value>
Valid from: Fri Jan 03 14:46:29 UTC 2020 until: Thu Apr 02 14:46:29 UTC 2020
Certificate fingerprints:
    SHA1: <value>
    SHA256: <value>
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 256-bit EC key
Version: 3

Extensions: 

#1: <value>
#2: <value>
#3: <value>

#4: ObjectId: <value> Criticality=true
BasicConstraints:[
    CA:false
    PathLen: undefined
]

#5: <value>
#6: ObjectId: <value> Criticality=false
ExtendedKeyUsages [
    serverAuth
    clientAuth
]

#7: ObjectId: <value> Criticality=true
KeyUsage [
    DigitalSignature
]

#8: <value>
#9: <value>

As seen above, the KeyUsage, BasicConstraints and Signature algorithm are not persisted. And the issue is my CA needs that one of the values of KeyUsage should be 'Certificate Sign'. Due to which my CA is not able to spinup.

So my question is:

  1. Is it feasible to get a root cert for my CA from LetsEncrypt?
  2. If yes, do we need to pass some extra flags with the cert bot command?
  3. Or where am I getting this wrong?

I'm quite new to using public ca for the certificate generation.

Solution

  • LetsEncrypt does not issue anything except Domain Validated certificates. No code signing certificates, no root CA certificates, nothing else.

    https://letsencrypt.org/docs/faq/