Plesk Let's Encrypt and support for ECDSA certificates
As you probably know, Let's Encrypt supports ECDSA certificates. Shorter handshake time, fewer data to transfer, faster page load time in the result.
I suggest Plesk feature - add option choose between RSA and ECDSA certificate when signing with Let's Encrypt.
Best regards, Mike
2.7.2 (17 January 2019)
• [*] In Plesk for Linux 17.8 and later, the extension now supports issuing ECDSA certificates. To have the extension issue certificates signed with ECDSA, add the following lines to the panel.ini file:
[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted
If you have any feedback let’s discuss it on our forum: https://talk.plesk.com/threads/lets-encrypt-extension.336954/
-
Hostasaurus commented
Just wanted to +1 this. By Plesk not supporting both types of certs, you're hurting the performance of sites choosing to host on a Plesk server. The SSL handshake time on an ECDSA cert is significantly lower, which is why a Cloudflare-hosted site (for example), has much greater performance than a Plesk-hosted site. Yes we can do ECDSA via the Lets Encrypt plugin, but then we sacrifice RSA compatibility. Given the underlying software already has such support, should be trivial to update the UI to support both types.
-
LC commented
There's more to this than may be thought after the first read...
Adding the option to choose between RSA OR ECDSA Certificates, when signing with Let's Encrypt (but staying within Plesk whilst you do this) certainly is a very important aspect yes, but, you can already do this outside of Plesk and then bring the ECDSA certificates into Plesk anyway, if you want to. The downside if you do, would be that the renewal process, would become a manual process, whereas it's an automatic process and works very well for all the RSA Let's Encrypt Certificates that are currently created from within Plesk (via the extension).
Later releases of both Apache and NginX can see BOTH RSA and ECDSA Certificates and therefore, the browser / client can sucessfullly ask for either to be presented as a result. However, if you currently try and make this possble when using Apache and NginX from withn Plesk... Good luck! :o))) Meanwhile, if you set this up but do NOT use Plesk, it can and will work perfectly.
So perhaps... a bigger 'need for change' may be option 2) and therefore 3) shown below?
1) Provide a choice of: RSA OR ECDSA Let's Encrypt Certificates from within Plesk exactly as per the OP's suggestion. Definietly the quickest and simplest solution for Plesk to implement.
However, for a wider appeal and for covering more browers / client options as mentioned:
2) Provide a choice of: RSA OR ECDSA as per 1) but then also provide the additional choice of both i.e. RSA AND ECDSA Let's Encrypt Certificates from within Plesk. The first choice would produce one certificate, the second choice would produce two certificates.
3) If it's 2) and not 1) that is finally implemented by Plesk, then Plesk would also need to provide "identification of both certificates" within Plesk templates that NginX and Apache use, in order to make this work correctly, as it does already if not using Plesk