Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
551 Commits
12 Branches
27 Tags
2.1 MiB
Branch: main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
acmed/README.md

230 lines
14 KiB
Raw Permalink Normal View History

Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
ACMEd v0.7.0
4 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Switch from heading underline to ATX headings Both markdown and CommonMark support only 2 level of heading underline. A third level using the `~` character is only supported as an extension in some implementations. While GitHub and most software do not support it, it is a better choice to switch to ATX headings. https://daringfireball.net/projects/markdown/syntax https://spec.commonmark.org/
5 years ago
Expand the readme
5 years ago
Update the badges
3 years ago
Merge the licenses badges
1 year ago
Add badges to the readme
5 years ago
Add a README.md file
5 years ago
Switch from heading underline to ATX headings Both markdown and CommonMark support only 2 level of heading underline. A third level using the `~` character is only supported as an extension in some implementations. While GitHub and most software do not support it, it is a better choice to switch to ATX headings. https://daringfireball.net/projects/markdown/syntax https://spec.commonmark.org/
5 years ago
Add a README.md file
5 years ago
RFC 8737 has been released
4 years ago
Fix the case
4 years ago
Add support for Ed25519 and Ed448 account keys and certificates Fixes #36
3 years ago
ACMEd v0.7.0
4 years ago
Add hooks before and after a file is created or edited It is considered a good practice to archive old certificates and private keys instead of simply dropping them away. Because ACMEd should not impose a way of doing things to system administrators, hooks are the way to go.
5 years ago
Add a README.md file
5 years ago
Update the README
4 years ago
Update the README
5 years ago
Update the README
5 years ago
Add external account binding
4 years ago
Add rate limits for HTTPS requests
5 years ago
Add external account binding
4 years ago
Add a README.md file
5 years ago
Switch from heading underline to ATX headings Both markdown and CommonMark support only 2 level of heading underline. A third level using the `~` character is only supported as an extension in some implementations. While GitHub and most software do not support it, it is a better choice to switch to ATX headings. https://daringfireball.net/projects/markdown/syntax https://spec.commonmark.org/
5 years ago
Expand the readme
5 years ago
Fix the case
4 years ago
Add tls-alpn-01 challenge support Although the standardization is still a draft, this challenge is already supported by Let's Encrypt. https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/
5 years ago
Update the README.md
5 years ago
Expand the readme
5 years ago
Fix minor issues in the README
5 years ago
Add a project status section in the README
5 years ago
Expand the readme
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Add the wiki
4 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Update the README
4 years ago
Minor documentation fixes
4 years ago
Update the README
4 years ago
Update the README
4 years ago
Minor documentation fixes
4 years ago
Update the README
4 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Add badges to the readme
5 years ago
Add a README.md file
5 years ago
Update dependencies
3 months ago
Add a README.md file
5 years ago
Update the dependency requirement Versions of OpenSSL or LibreSSL where `PEM_write_bio_PKCS8PrivateKey` uses the "traditional" format are not supported. Close #9
5 years ago
Specify the OpenSSL dependency in the readme
5 years ago
Add build instruction for Debian-based systems
5 years ago
Remove the Alpine Linux version reference This reference was obsolete and unmaintained. It should be updated at least at every change in the minimal required Rust version, and I don't want to specifically check the Alpine Linux repository just to check which release includes a compatible Rust version. No other distribution has such information.
2 years ago
Add Alpine Linux instructions in the README Ref #21
4 years ago
Add a README.md file
5 years ago
Add a Makefile
5 years ago
Add a README.md file
5 years ago
Move the contrib files into dedicated directories
3 years ago
Add build-docker.sh script
4 years ago
Add resources to build a docker image
7 months ago
Improve the build system
4 years ago
Add a link to the Rust documentation in the README
3 years ago
Improve the build system
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
Update the `RUNSTATEDIR` default value in the README This value has been change in the following commit: c9c12692c948476cc1fcf0f66d2a0bd20a1589ec
3 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
Update the ACMED_DEFAULT_CERT_FORMAT default value in the README
3 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
Allow the configuration of some default values at compile time using environment variables
3 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
Allow the configuration of some default values at compile time using environment variables
3 years ago
Improve the build system
4 years ago
Move the contrib files into dedicated directories
3 years ago
Add a packager tip in the README
3 years ago
Expand the readme
5 years ago
Switch from heading underline to ATX headings Both markdown and CommonMark support only 2 level of heading underline. A third level using the `~` character is only supported as an extension in some implementations. While GitHub and most software do not support it, it is a better choice to switch to ATX headings. https://daringfireball.net/projects/markdown/syntax https://spec.commonmark.org/
5 years ago
Expand the readme
5 years ago
Switch from heading underline to ATX headings Both markdown and CommonMark support only 2 level of heading underline. A third level using the `~` character is only supported as an extension in some implementations. While GitHub and most software do not support it, it is a better choice to switch to ATX headings. https://daringfireball.net/projects/markdown/syntax https://spec.commonmark.org/
5 years ago
Expand the readme
5 years ago
Update the README
4 years ago
Expand the readme
5 years ago
Add question about the FOSS
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Add question about the FOSS
5 years ago
Update the license part of the readme
5 years ago
Add question about the FOSS
5 years ago
Switch from heading underline to ATX headings Both markdown and CommonMark support only 2 level of heading underline. A third level using the `~` character is only supported as an extension in some implementations. While GitHub and most software do not support it, it is a better choice to switch to ATX headings. https://daringfireball.net/projects/markdown/syntax https://spec.commonmark.org/
5 years ago
Expand the readme
5 years ago
Update the README
5 years ago
Improve the FAQ
4 years ago
Expand the readme
5 years ago
Update the README's FAQ Closes #34 and closes #35
4 years ago
Improve the FAQ
4 years ago
Update the README
4 years ago
Improve the FAQ
4 years ago
Update the README
4 years ago
Improve the FAQ
4 years ago
Add documentation about the system user
4 years ago
Improve the FAQ
4 years ago
Update the README
3 years ago
Add documentation about the system user
4 years ago
Add example systemd service file
4 years ago
Update the README
3 years ago
Add example systemd service file
4 years ago
Add questions about parallelization in the FAQ
4 years ago
Rewrite the main event loop using async Manual threads have some huge drawbacks and are therefore not well suited for this task. Using async with a multi-threaded runtime, however, does not have those drawbacks and keep the advantage of a multi-threaded environment. This is only the first part of the switch to async, the next step being to use it in file operation, HTTP requests and sleeps.
1 year ago
Add questions about parallelization in the FAQ
4 years ago
Rewrite the main event loop using async Manual threads have some huge drawbacks and are therefore not well suited for this task. Using async with a multi-threaded runtime, however, does not have those drawbacks and keep the advantage of a multi-threaded environment. This is only the first part of the switch to async, the next step being to use it in file operation, HTTP requests and sleeps.
1 year ago
Add questions about parallelization in the FAQ
4 years ago
Rewrite the main event loop using async Manual threads have some huge drawbacks and are therefore not well suited for this task. Using async with a multi-threaded runtime, however, does not have those drawbacks and keep the advantage of a multi-threaded environment. This is only the first part of the switch to async, the next step being to use it in file operation, HTTP requests and sleeps.
1 year ago
Add questions about parallelization in the FAQ
4 years ago
Rewrite the main event loop using async Manual threads have some huge drawbacks and are therefore not well suited for this task. Using async with a multi-threaded runtime, however, does not have those drawbacks and keep the advantage of a multi-threaded environment. This is only the first part of the switch to async, the next step being to use it in file operation, HTTP requests and sleeps.
1 year ago
Add questions about parallelization in the FAQ
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Expand the readme
5 years ago
Update the README's FAQ Closes #34 and closes #35
4 years ago
Expand the readme
5 years ago
Update the README's FAQ Closes #34 and closes #35
4 years ago
Update the README
4 years ago
Expand the readme
5 years ago
Update the README
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Improve the FAQ
4 years ago
  2. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  4. [//]: # (Copying and distribution of this file, with or without modification,)
  5. [//]: # (are permitted in any medium without royalty provided the copyright)
  6. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  7. [//]: # (without any warranty.)
  9. # ACMEd
  11. [![Build Status](https://github.com/breard-r/acmed/actions/workflows/ci.yml/badge.svg)](https://github.com/breard-r/acmed/actions/workflows/ci.yml)
  12. ![License MIT OR Apache 2.0](https://img.shields.io/badge/license-MIT%20OR%20Apache--2.0-blue)
  14. The Automatic Certificate Management Environment (ACME), is an internet standard ([RFC 8555](https://tools.ietf.org/html/rfc8555)) which allows to automate X.509 certificates signing by a Certification Authority (CA). ACMEd is one of the many clients for this protocol.
  17. ## Key features
  19. - http-01, dns-01 and [tls-alpn-01](https://tools.ietf.org/html/rfc8737) challenges
  20. - IP identifier validation extension [RFC 8738](https://tools.ietf.org/html/rfc8738)
  21. - RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384, ECDSA P-521, Ed25519 and Ed448 certificates and account keys
  22. - Internationalized domain names support
  23. - Fully customizable challenge validation action
  24. - Fully customizable archiving method (yes, you can use git or anything else)
  25. - Nice and simple configuration file
  26. - A pre-built set of hooks that can be used in most circumstances
  27. - Run as a deamon: no need to set-up timers, crontab or other time-triggered process
  28. - Retry of HTTPS request rejected with a badNonce or other recoverable errors
  29. - Customizable HTTPS requests rate limits
  30. - External account binding
  31. - Optional key pair reuse (useful for [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning))
  32. - For a given certificate, each domain name may be validated using a different challenge
  33. - A standalone server dedicated to the tls-alpn-01 challenge validation (tacd)
  36. ## Planned features
  38. - STAR certificates [RFC 8739](https://tools.ietf.org/html/rfc8739)
  39. - Daemon and certificates management via the `acmectl` tool
  40. - HTTP/2 support
  43. ## Project status
  45. This project is usable, but is still a work in progress. Each release should works well and accordingly to its documentation.
  46. Because the API has not been stabilized yet, breaking changes may occur. Therefore, before any upgrade, you are invited to read the [CHANGELOG](CHANGELOG.md) and check if any change can break your setup.
  48. Please keep in mind this software has neither been subject to a peer review nor to a security audit.
  51. ## Documentation
  53. The [wiki](https://github.com/breard-r/acmed/wiki) will provides you with an overview as well as guides. You may contribute to it by creating a PR on the [acmed-wiki](https://github.com/breard-r/acmed-wiki) repository.
  55. For exhaustive references, the following man pages are available:
  57. - acmed (8)
  58. - acmed.toml (5)
  59. - tacd (8)
  61. An easy way to read those pages without installing ACMEd is to downloads and pipe them to the man utility:
  63. ```
  64. curl -sSf "https://raw.githubusercontent.com/breard-r/acmed/main/man/en/acmed.8" | man -l -
  65. curl -sSf "https://raw.githubusercontent.com/breard-r/acmed/main/man/en/acmed.toml.5" | man -l -
  66. curl -sSf "https://raw.githubusercontent.com/breard-r/acmed/main/man/en/tacd.8" | man -l -
  67. ```
  69. Alternatively, using zsh, you can use the following variants. Useful on system where man is unable to read from stdin (yes BSD, that's you).
  71. ```
  72. man =(curl -sSf "https://raw.githubusercontent.com/breard-r/acmed/main/man/en/acmed.8")
  73. man =(curl -sSf "https://raw.githubusercontent.com/breard-r/acmed/main/man/en/acmed.toml.5")
  74. man =(curl -sSf "https://raw.githubusercontent.com/breard-r/acmed/main/man/en/tacd.8")
  75. ```
  78. ## Build from source
  80. In order to compile ACMEd, you will need the [Rust](https://www.rust-lang.org/) compiler and its package manager, Cargo. The minimum supported Rust version(MSRV) is 1.74, although it is recommended to use the latest stable one.
  82. ACMEd depends OpenSSL 1.1.0 or higher.
  84. On systems based on Debian/Ubuntu, you may need to install the `libssl-dev`, `build-essential` and `pkg-config` packages.
  86. On Alpine Linux, you may need to install the `openssl-dev` and `alpine-sdk` packages.
  88. ```
  89. $ make
  90. $ make install
  91. ```
  93. To build ACMEd and tacd inside a temporary Docker container, use the `contrib/docker/build-docker.sh` helper script. It currently supports Debian Buster / Stretch.
  95. You can also build a container image for some k8s deployement, use the `contrib/docker/build-docker-image.sh` script. It supports the same targets as the build-docker.sh script.
  97. When build succeed, you can start the container with `docker run --rm -v /path/to/conf/dir:/etc/acmed acmed:buster`.
  99. ### Advanced options
  101. You can specify a space or comma separated list of features to activate in the `FEATURE` variable. The possible features are:
  103. - `openssl_dyn` (default): use OpenSSL as the cryptographic library, dynamically linked (mutually exclusive with `openssl_vendored`).
  104. - `openssl_vendored`: use OpenSSL as the cryptographic library, statically linked (mutually exclusive with `openssl_dyn`).
  106. You can also specify the [target triple](https://doc.rust-lang.org/nightly/rustc/platform-support.html) to build for in the `TARGET` variable. Please note that, if used, this variable must be specified for both `make` and `make install`.
  108. For example, you can build statically linked binaries using the `openssl_vendored` feature and the `x86_64-unknown-linux-musl` target.
  110. ```
  111. make FEATURES="openssl_vendored" TARGET="x86_64-unknown-linux-musl"
  112. ```
  114. The following environment variables can be used to change default values at compile and/or install time:
  116. - `PREFIX` (install): system user prefix (default to `/usr`)
  117. - `BINDIR` (install): system binary directory (default to `$PREFIX/bin`)
  118. - `DATADIR` (install): system data directory (default to `$PREFIX/share`)
  119. - `MAN5DIR` (install): system directory where pages 5 manuals are located (default to `$DATADIR/man/man5`)
  120. - `MAN8DIR` (install): system directory where pages 8 manuals are located (default to `$DATADIR/man/man8`)
  121. - `SYSCONFDIR` (compile and install): system configuration directory (default to `/etc`)
  122. - `VARLIBDIR` (compile and install): directory for persistent data modified by ACMEd (default to `/var/lib`)
  123. - `RUNSTATEDIR` (compile): system run-time variable data (default to `/run`)
  124. - `ACMED_DEFAULT_ACCOUNTS_DIR` (compile): directory where account files are stored (default to `$VARLIBDIR/acmed/accounts`)
  125. - `ACMED_DEFAULT_CERT_DIR` (compile): directory where certificates and private keys are stored (default to `$VARLIBDIR/acmed/certs`)
  126. - `ACMED_DEFAULT_CERT_FORMAT` (compile): format for certificates and private keys files names (default to `{ name }_{ key_type }.{ file_type }.{ ext }`)
  127. - `ACMED_DEFAULT_CONFIG_FILE` (compile): main configuration file (default to `$SYSCONFDIR/acmed/acmed.toml`)
  128. - `ACMED_DEFAULT_PID_FILE` (compile): PID file for the main acmed process (default to `$RUNSTATEDIR/acmed.pid`)
  129. - `TACD_DEFAULT_PID_FILE` (compile): PID file for the tacd process (default to `$RUNSTATEDIR/tacd.pid`)
  131. For example, the following will compile a binary that will use the `/usr/share/etc/acmed/acmed.toml` configuration file and will be installed in the `/usr/local/bin` directory :
  133. ```
  134. make SYSCONFDIR="/usr/share/etc"
  135. make BINDIR="/usr/local/bin" install
  136. ```
  138. ### Packaging
  140. Most of the time, when packaging, you want to install the program in a dedicated directory. This is possible using the `DESTDIR` variable.
  142. ```
  143. make DESTDIR="/path/to/my/package/directory" install
  144. ```
  146. Packager tip: If you package ACMEd in a way it does not run as root, you might want to create another package that provides the Polkit rule file located in the `contrib/polkit` directory. This package should depends on both acmed and Polkit.
  149. ## Frequently Asked Questions
  151. ### Why this project?
  153. After testing multiple ACME clients, I found out none of them supported all the features I expected (see the key features above). It may have been possible to contribute or fork an existing project, however I believe those project made architectural choices incompatible with what i wanted, and therefore it would be as much or less work to start a new project from scratch.
  155. ### Is it free and open-source software?
  157. Yes, ACMEd is dual-licensed under the MIT and Apache 2.0 terms. See [LICENSE-MIT.txt](LICENSE-MIT.txt) and [LICENSE-APACHE-2.0.txt](LICENSE-APACHE-2.0.txt) for details.
  159. The man pages, the default hooks configuration file, the `CHANGELOG.md` and the `README.md` files are released under the [GNU All-Permissive License](https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html).
  161. ### Can it automatically change my server configuration?
  163. Short answer: No.
  165. Long answer: At some points in a certificate's life, ACMEd triggers some hooks in order to let you customize how some actions are done, therefore you can use those hooks to modify any server configuration you wish. However, this may not be what you are looking for since it cannot proactively detect which certificates should be emitted since ACMEd only manages certificates that have already been declared in the configuration files.
  167. ### How should I configure my TLS server?
  169. You decide. ACMEd only retrieve the certificate for you, it does not impose any specific configuration or limitation on how to use it. For the record, if you are looking for security recommendations on TLS deployment, you can follow the [ANSSI TLS guide](https://www.ssi.gouv.fr/en/guide/security-recommendations-for-tls/) (the english version might not be the latest version of this document, if possible use [the french one](https://www.ssi.gouv.fr/entreprise/guide/recommandations-de-securite-relatives-a-tls/)).
  171. ### Is it suitable for beginners?
  173. It depends on your definition of a beginner. This software is intended to be used by system administrators with a certain knowledge of their environment. Furthermore, it is also expected to know the bases of the ACME protocol. Let's Encrypt wrote a nice article about [how it works](https://letsencrypt.org/how-it-works/).
  175. ### It doesn't work!
  177. ACMEd releases do work properly. Knowing that new users tend to shoot themselves in the foot with hooks, you might want to check those before considering moving away to a different software. Files path and permissions are very common traps, you definitely want to check those.
  179. By the way, don't forget to change the log verbosity using `--log-level trace`.
  181. ### Should ACMEd run as root?
  183. Running ACMEd as root is the simplest configuration since you do not have to worry about access rights, especially within hooks (Eg: restart a service).
  185. However, if you are concerned with safety, you should create a dedicated user for ACMEd. Before doing so, please consider the following points:
  187. * Will my services be able to read both the private key and the certificate?
  188. * Will the ACMEd user be able to execute the hooks?
  190. The last one could be achieved using either sudo or Polkit (see the `contrib/polkit` directory).
  192. ### Why is there no option to run ACMEd as a specific user or group?
  194. The reason some services has such an option is because at startup they may have to load data only accessible by root, hence they have to change the user themselves after those data are loaded. For example, this is wildly used in web servers so they load a private key, which should only be accessible by root. Since ACMEd does not have such requirement, it should be run directly as the correct user.
  196. ### How can I run ACMEd with systemd?
  198. The `contrib/systemd` contains examples of a service file as well as a `sysusers.d` and a `tmpfiles.d` file. Those files might need adjustments in order to work on your system (e.g. paths, user, group,...), but it's probably a good starting point.
  200. ### Does ACMEd uses any threading or parallelization?
  202. Yes, ACMEd is [asynchronous](https://en.wikipedia.org/wiki/Asynchrony_(computer_programming)) and uses a multi-thread runtime. In order to check the number of threads, you may run the following command:
  204. ```
  205. ps -T -p "$(pgrep acmed)"
  206. ```
  208. ### Can I use the same account on different endpoints?
  210. Yes, that is possible. However, you should aware that some certificate authorities (e.g. Let's Encrypt) have policies restricting the use multiple accounts. Please check your CA's documentation.
  212. ### Why is RSA 2048 the default certificate key type?
  214. Short answer: it is sufficiently secured, has good performances and is wildly supported.
  216. Before choosing a different algorithm for your certificate's signature, you might want to consider all of those three points.
  218. * For security, you may refer to the table 2 of the [NIST SP 800-57 Part 1](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final).
  219. * For performances, you can launch the following command on your machine: `openssl speed rsa2048 rsa3072 rsa4096 ecdsap256 ecdsap384 ecdsap521 ed25519 ed448`. Your server will be affected by the signature performances and the clients connecting to it will be affected by the verification performances.
  220. * Nowadays, every client support ECDSA. Therefore, unless you have very specific requirements, you can safely use it. At time of writing, EdDSA certificates are not yet supported, but it might become a thing in the future.
  222. Currently, security and client support aren't the main concerns since every possible type of certificates is good enough on those two points. The performances clearly favors ECDSA P-256, Ed25519 and RSA 2048. The later has been chosen as the default because it's the most wildly used as Certification Authorities root and intermediate certificates. This choice may change in favor of ECDSA since Let's Encrypt issued [a full ECDSA certificates chain](https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html).
  224. ### Why is ECDSA P-256 the default account key type?
  226. RFC 8555 section 6.2 defines ECDSA P-256 as the only account key type that any ACME servers must implement. It is therefore the best choice for the default value.
  228. ### Why can I chose the CSR's digest type but not the certificate's?
  230. Well, you sign the CSR, so obviously you can chose which digest to use. However, the certificate is signed by the certificate authority, so its digest choice is up to your CA. I agree that being able to chose the CSR's digest type is of low importance, sorry if it gave you false hopes about the certificate.