Can PRTG be made to use an ECDSA certificate?

Sven, thank you for the reply. I will give that a try, and let you know if it is successful.

Feb, 2018 - Permalink

The manual import of the ECDSA certificate was successful. I'm going to recommend an update to the guide you linked to, though.

In that guide it states the following about the root.pem file:

"This is the public root certificate of your certificate's issuer. It has to be stored in PEM encoded format and must contain all necessary root certificates of your issuer in one file. If there is more than one PEM encoded root certificate, please use a text editor to copy all of them into a single file (the order does not matter)."

This seems to be incorrect. My root.pem file included both the Intermediate CA and the Root CA certificates, and the Core Server service would not start. It was only by looking at the files previously generated with the Certificate Importer from the old RSA certificate that I realized that the previous root.pem file also contained the actual certificate from prtg.crt as well. Adding that certificate to the root.pem file allowed me to start the Core Server service again.

So, I think your guide should instead read:

"This is the full certificate chain of your certificate. It has to be stored in PEM encoded format and must contain the leaf certificate, all intermediate CA certificates (if applicable), and the root CA certificate in one file (the order does not matter)."

If you use a Linux machine to generate certificates like I do, use this PowerShell to convert your line endings to Windows style on each of your certificate and key files:

$file = Get-Content cert_file.pem $file | Foreach-Object { $_ -replace '\n', '\r\n' } | Out-File cert_file.pem

Finally, I hope the Certificate Importer is updated soon because the use of non-RSA certificates is just going to increase since elliptic curve certificates offer equal security with smaller bit keys for better performance, Let's Encrypt already signs ECDSA certificates, and this year (2018) Let's Encrypt is planning on generating an ECDSA root and ECDSA intermediates.

Feb, 2018 - Permalink

Hey pixel1138,

Thanks for sharing this. I will forward this to the responsible colleagues who will take care about the update of the import guide.

Best regards,
Sven

Feb, 2018 - Permalink

After a few days of using an ECDSA certificate, I discovered that as of version 17.4.2.1 the PRTG for Android application cannot connect to the server while it is using an ECDSA certificate. The error is "Handshake failed". Will you send this to the developers, please?

If/when I find out this has been corrected, I will update this thread.

Feb, 2018 - Permalink

Hey pixel1138,

Once again, thanks for sharing this. Will forward the information to the dev-team.

Best regards,
Sven

Feb, 2018 - Permalink

Funny, 4 years later and the cert importer still does not seem to support ECDSA certificates :) It still complains about key size < 1024

Aug, 2022 - Permalink

Hi there, please let me know whether you already tried to add the certificate manually as described here: https://https://helpdesk.paessler.com/en/support/solutions/articles/76000045249

Aug, 2022 - Permalink

Just ran into this same issue. I use Letsencrypt and the imported does not support ECDSA certs. Any Idea on when the imported will be updated? I don't want to manually have to edit the cert files every 3 months.

Apr, 2023 - Permalink