Adding certificates by using the ECDSA algorithm for encryption

With certificate manager, you can encrypt with the ECDSA algorithm. A certificate can specify the key signing algorithm and the key size. Use the keyAlgorithm and keySize parameters to specify your customizations for the private key. If these parameters are not set, a 2048-bit RSA is created.

• Creating a certificate with ECDSA
• Using ECDSA with Issuers

Limitation: The CA Issuer requires that the CA certificate and key be signed with the ECDSA algorithm for the issued certificates so that the issued certificates can sign with ECDSA. The limitation also applies if you want to create an RSA-signed certificate from a CA Issuer that is signed with the ECDSA algorithm.

For more developments on the limitation, see GitHub issue 1004: error creating x509 certificate requested SignatureAlgorithm .

Creating a certificate with ECDSA

To create a certificate that uses the ECDSA algorithm for encryption, follow the procedure in Creating IBM Cloud Private Certificate manager (cert-manager) certificates, but use the following sample where keyAlgorithm and keySize are required:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: ecdsa-ca-cert
  namespace: default
spec:
  secretName: ecdsa-ca-secret
  keyAlgorithm: ecdsa
  keySize: 521
  isCA: true
  issuerRef:
    name: ss-issuer
    kind: Issuer
  commonName: foo1.bar1
  dnsNames:
  - foo1.bar1

Using ECDSA with Issuers

CA Issuer

Due to the limitation, any certificates that specify the ECDSA private key algorithm must be issued from a CA certificate that also specifies ECDSA as its key algorithm.

1. See the following sample YAML, which uses Certificate manager to create a CA Issuer that uses ECDSA:

   apiVersion: certmanager.k8s.io/v1alpha1
   kind: Issuer
   metadata:
    name: ss-issuer
    namespace: default
   spec:
    selfSigned: {}
   

2. Next, create a CA certificate that is issued from the self-signed Issuer and using the ECDS key algorithm. See the following sample:

   apiVersion: certmanager.k8s.io/v1alpha1
   kind: Certificate
   metadata:
    name: ecdsa-ca-cert
    namespace: default
   spec:
    secretName: ecdsa-ca-secret
    keyAlgorithm: ecdsa
    keySize: 521
    isCA: true
    issuerRef:
      name: ss-issuer
      kind: Issuer
    commonName: foo1.bar1
    dnsNames:
    - foo1.bar1
   

3. Edit the following sample to create the CA Issuer with the CA certificate:

   apiVersion: certmanager.k8s.io/v1alpha1
   kind: Issuer
   metadata:
    name: ecdsa-ca-issuer
    namespace: default
   spec:
    ca:
      secretName: ecdsa-ca-secret
   

Vault Issuer

You can create certificates from a Vault Issuer that uses ECDSA keys instead of RSA by configuring the Vault PKI endpoint certificate update role. For more information about Vault Issuer, see Adding a certificate by using the Vault Issuer.

Go to your Vault server and run the following configuration command and edit the key_bits and key_type:

  vault write auth/approle/role/my-role secret_id_ttl=8760h token_num_uses=0 token_ttl=20m token_max_ttl=30m secret_id_num_uses=0 policies=pki_policy key_type=ec key_bits=521

When you create certificate resources, be sure to use a keySize that matches, or is greater than, the key_bits that you specify in your Vault server:

  key_type=ec
  key_bits=256, 384 or 521

See Using IBM Cloud Private Certificate manager (cert-manager) for more Certificate manager topics.