From 9148b16d81f7b31bf08531c4affa8855653410f3 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Wed, 22 Oct 2025 22:48:38 +0000
Subject: [PATCH] acmetool: use ECDSA keys instead of RSA

---
 CHANGELOG.md                                  | 3 +++
 cmdeploy/src/cmdeploy/acmetool/target.yaml.j2 | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee8ea6e9..778f72e8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## untagged
 
+- acmetool: use ECDSA keys instead of RSA
+  ([#689](https://github.com/chatmail/relay/pull/689))
+
 - Require TLS 1.2 for outgoing SMTP connections
   ([#685](https://github.com/chatmail/relay/pull/685))
 
diff --git a/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2 b/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
index 97163c4f..2d0552c7 100644
--- a/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
@@ -1,7 +1,8 @@
 request:
   provider: https://acme-v02.api.letsencrypt.org/directory
   key:
-    type: rsa
+    type: ecdsa
+    ecdsa-curve: nistp256
   challenge:
     webroot-paths:
     - /var/www/html/.well-known/acme-challenge