October 24, 2018

Certificate Support

  Technical Reference, TLS

     

NuevoCloud supports both RSA and ECDSA certificates. RSA 2048-bit certificates are the most common, however ECDSA certificates are smaller (and therefore faster to send), stronger, and will become more common in the future.

ECDSA Certificates

ECDSA certificates must use the elliptical curve NIST P-256 or Curve25519. Both curves are 128-bit curves, equivalent to a 3084-bit RSA certificate. P-256 is widely supported by browsers and has been supported longer. Curve25519 was created more recently, and therefore has poorer backward compatibility with browsers.

Let's Encrypt

NuevoCloud's Let's Encrypt integration uses ECDSA certificates using the elliptical curve NIST P-256. These are 128-bit certificates equivalent to a 3084-bit RSA certificate.

A Let's Encrypt certificate will be obtained for any domain that does not have a valid certificate. A Let's Encrypt certificate will also be automatically obtained for certificates that are within 30-days of their expiration date. Adding a valid certificate for a domain will automatically remove the Let's Encrypt certificate obtained for the same domain.

Wildcard Certificates

Wildcard certificates are supported. The wildcard certificate will only be used when the Subject Name or Subject Alternative Name matches the request domain associated with the same zone as the certificate.

Multiple Certificate Support

Multiple certificates are supported, and you may mix-and-match certificate types. For example, you can add a wildcard certificate and an additional certificate to cover a specific domain. NuevoCloud will compare the request domain to the certificate and select a matching certificate when responding.

Self-Signed Certificates

You may use self-signed certificates as long as they are a supported RSA or ECDSA certificate type. Since self-signed certificates are not issued by a trusted CA, browsers will display a security warning when connecting to a domain using a self-signed certificate. Therefore they are only recommended for testing.

Certificates Issued by Internal CAs

You may use a certificates issued by an internal CA, as long as it's a supported RSA or ECDSA certificate type. Since the certificate was not issued by a trusted CA, browsers that do not have your internal CA certificate installed will display a security warning.