[eduVPN-deploy] Switching to ECDSA for VPN certificates

[François Kooman]

Hi all,

In the upcoming release of vpn-server-api (2.3.0) we will switch to 
issuing client (and server) VPN certificates with ECDSA. The reason for 
this is to improve the time needed to generate new keys for VPN clients. 
With RSA it averages around 1 second [1]. Switching to ECDSA (NIST P-384 
curve) we'll make obtaining a new configuration (much) quicker.

This change is especially important for APIv3 support [2] that will be 
introduced in the next months if all goes well. This will simplify VPN 
clients a lot. With APIv3 an eduVPN/Let's Connect! client will obtain a 
new certificate at every connect. Note that this (= obtaining a new 
certificate on connect) is only relevant when using the eduVPN/Let's 
Connect! applications, and not (manual) configuration downloads through 
the portal.

If you want to keep using RSA it is important that you as soon as 
possible (= before the installation of vpn-server-api 2.3.0) explicitly 
configure RSA as your `vpnCaKeyType` [3].

Note, that if your CA is currently of type RSA it will remain that way. 
The ECDSA certificates will be signed by your RSA Root CA. New 
installations of eduVPN/Let's Connect! server will default to ECDSA for 
the Root CA as well.

Let us know if you have any questions, remarks or suggestions!

Regards,
François

[1] https://www.tuxed.net/fkooman/blog/openvpn_modern_crypto_part_ii.html
[2] https://github.com/eduvpn/documentation/blob/v2/API_V3.md
[3] 
https://github.com/eduvpn/documentation/blob/v2/SECURITY.md#switching-key-type