ACM Let's Encrypt Certificate does not include RSA

It said that the certificate issued by Let’s Encrypt included SHA2 RSA certificate but I checked that only ECC certificate was included and no RSA one issued by Let’s Encrypt was issued or used. The description about SHA2 RSA is wrong. After this, I have tried issuing another certificate pack issued by DigiCert which included ECC and RSA. However, either certificate issued by Let’s Encrypt was applied along with RSA certificate which issued by DigiCert wasn’t used, or only both ECC and RSA certificates issued by DigiCert were used and the certificate issued by Let’s Encrypt was not used. I hope the problem can be solved.

You are correct that only an ECC certificate is issued using ACM. As LE have not yet started to use their ECC root and intermediates they are coming from an RSA intermediate. I opened a ticket about this a few weeks ago and it is not something that is likely to be changed.

Only one pack is used for any hostname, so you cannot mix and match between the LE and Digicert roots.

Can both ECC and RSA certificates be issued when choosing Let’s Encrypt as the certificate authority?

No. And I don’t think this is something Cloudflare intend to change.

Do you have particular reasons to use RSA? In today’s world using TLS 1.2 and TLS 1.3 with the ciphers below gives you pretty good device coverage. I’ll look again at my own data, but ditching RSA is definitely possible unless you have very specific requirements.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Yeah maybe soon https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.