[eduVPN-deploy] Switching to ECDSA for VPN certificates
François Kooman
fkooman at tuxed.net
Mon Oct 11 12:17:44 CEST 2021
Hi all,
In the upcoming release of vpn-server-api (2.3.0) we will switch to
issuing client (and server) VPN certificates with ECDSA. The reason for
this is to improve the time needed to generate new keys for VPN clients.
With RSA it averages around 1 second [1]. Switching to ECDSA (NIST P-384
curve) we'll make obtaining a new configuration (much) quicker.
This change is especially important for APIv3 support [2] that will be
introduced in the next months if all goes well. This will simplify VPN
clients a lot. With APIv3 an eduVPN/Let's Connect! client will obtain a
new certificate at every connect. Note that this (= obtaining a new
certificate on connect) is only relevant when using the eduVPN/Let's
Connect! applications, and not (manual) configuration downloads through
the portal.
If you want to keep using RSA it is important that you as soon as
possible (= before the installation of vpn-server-api 2.3.0) explicitly
configure RSA as your `vpnCaKeyType` [3].
Note, that if your CA is currently of type RSA it will remain that way.
The ECDSA certificates will be signed by your RSA Root CA. New
installations of eduVPN/Let's Connect! server will default to ECDSA for
the Root CA as well.
Let us know if you have any questions, remarks or suggestions!
Regards,
François
[1] https://www.tuxed.net/fkooman/blog/openvpn_modern_crypto_part_ii.html
[2] https://github.com/eduvpn/documentation/blob/v2/API_V3.md
[3]
https://github.com/eduvpn/documentation/blob/v2/SECURITY.md#switching-key-type
More information about the eduVPN-deploy
mailing list