Now Supporting ECC for Let's Encrypt Certificates
Javier Acero
on
A few weeks ago, we announced support of Elliptic Curve Cryptography for Certificates. We initially only added support for our Commercial Certificate integration, which uses Sectigo as certificate authority. We gradually increased the number of Sectigo certificates using ECC private keys until we reached 100%.
Today, we're happy to announce all our Let's Encrypt certificates are signed using Elliptic Curve private keys.
DNSimple + Let's Encrypt
DNSimple has been a long-time Let's Encrypt supporter, because their free, easy to use SSL certificates truly make the internet a better place. They issue more certificates than all other certificate authorities combined , relying only on donations to operate.
We first announced our Let's Encrypt integration in 2016. A few years later, in 2021, they rolled out support for ECDSA encryption. It shows how the industry has been slowly adopting it ever since, and it'll soon become the de facto standard. You can see this trend picking up speed with Mozilla recommending ECDSA for any modern TLS setup.
DNSimple has good company inside the Let's Encrypt ecosystem: Certbot, an open source tool for issuing Let's Encrypt certificates, has also announced their next major release will use ECC private keys by default.
Why ECC?
The internet needs to guarantee safe, private data exchanges, and cryptography has to keep up as technology gets more sophisticated. The public and private keys used in these communications are based on complex math equations, and generating them is a time-consuming, resource-heavy process.
The main advantage of using ECC instead of RSA is that it provides the same level of security using much smaller keys. This translates into faster processing in some operations, lower bandwidth usage, and lower energy consumption.
DNSimple currently supports two ECC curves:
- X9.62/SECG curve over a 256 bit prime field (prime256v1)
- NIST/SECG curve over a 384 bit prime field (secp384r1)
For Let's Encrypt certificates, we use prime256v1, which provides an equivalent level of security to the 2048 bit RSA key we've been using.
How does it work?
At DNSimple, we work to make the certificate issuance process as simple as possible. That's why our customers don't have to deal with private key generation (unless they really want to). Adopting Elliptic Curve Cryptography won't change that. All new Let's Encrypt certificates will be signed with an ECC key. Renewing an RSA-signed certificate is no different, and will automatically use an ECC private key.
We also updated our Redirector to properly handle ECC-signed certificates. If you're relying on our URL record to redirect traffic over HTTPs, you'll benefit from the performance improvements ECC brings to the table.
Improve your domain management with DNSimple
We're constantly working to bring you the best possible security, performance, and ease of use for your domain management. Not using DNSimple yet? Give us a try free for 30 days to experience our best-in-class domain and certificate management for yourself.
Have questions or want to learn more? Drop us a line – we're always happy to help.
Javier Acero
Programmer. Minimalist. Apple fanboy. Currently having fun at DNSimple. I love coffee and my cat.
We think domain management should be easy.
That's why we continue building DNSimple.
