What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Can PRTG be made to use an ECDSA certificate?

Votes:

0

Your Vote:

Up

Down

I have begun migrating our services to use ECDSA certificates for their browser UIs. Unfortunately, attempting to import an ECDSA certificate into PRTG using the Certificate Importer comes back with an error stating that the key is not at least 1024 bits in length. Is PRTG even capable of serving ECDSA certificates? If so, is there a timetable to update the Certificate Importer to accept ECDSA certificates, or is there a way to manually add an ECDSA certificate?

PRTG Network Monitor version: 18.1.36.3728+

certificate-importer ecdsa tls

Created on Jan 24, 2018 7:30:41 PM by  pixel1138 (0) 1



6 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

Hey pixel1138,

thank you for your KB-posting.

You're right, the Certificate Importes does not support ECDSA certificates. However, you should be able to manually import the certificate by following the description in this how-to guide.

Best regards,
Sven

Created on Jan 26, 2018 6:15:19 AM by  Sven Roggenhofer [Paessler Technical Support]

Last change on Dec 3, 2021 10:40:27 AM by  Maike Guba [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Sven, thank you for the reply. I will give that a try, and let you know if it is successful.

Created on Feb 1, 2018 11:34:12 PM by  pixel1138 (0) 1



Votes:

0

Your Vote:

Up

Down

The manual import of the ECDSA certificate was successful. I'm going to recommend an update to the guide you linked to, though.

In that guide it states the following about the root.pem file:

"This is the public root certificate of your certificate's issuer. It has to be stored in PEM encoded format and must contain all necessary root certificates of your issuer in one file. If there is more than one PEM encoded root certificate, please use a text editor to copy all of them into a single file (the order does not matter)."

This seems to be incorrect. My root.pem file included both the Intermediate CA and the Root CA certificates, and the Core Server service would not start. It was only by looking at the files previously generated with the Certificate Importer from the old RSA certificate that I realized that the previous root.pem file also contained the actual certificate from prtg.crt as well. Adding that certificate to the root.pem file allowed me to start the Core Server service again.

So, I think your guide should instead read:

"This is the full certificate chain of your certificate. It has to be stored in PEM encoded format and must contain the leaf certificate, all intermediate CA certificates (if applicable), and the root CA certificate in one file (the order does not matter)."

If you use a Linux machine to generate certificates like I do, use this PowerShell to convert your line endings to Windows style on each of your certificate and key files:

$file = Get-Content cert_file.pem $file | Foreach-Object { $_ -replace '\n', '\r\n' } | Out-File cert_file.pem

Finally, I hope the Certificate Importer is updated soon because the use of non-RSA certificates is just going to increase since elliptic curve certificates offer equal security with smaller bit keys for better performance, Let's Encrypt already signs ECDSA certificates, and this year (2018) Let's Encrypt is planning on generating an ECDSA root and ECDSA intermediates.

Created on Feb 2, 2018 9:31:20 PM by  pixel1138 (0) 1



Votes:

0

Your Vote:

Up

Down

Hey pixel1138,

Thanks for sharing this. I will forward this to the responsible colleagues who will take care about the update of the import guide.

Best regards,
Sven

Created on Feb 5, 2018 8:09:12 AM by  Sven Roggenhofer [Paessler Technical Support]



Votes:

0

Your Vote:

Up

Down

After a few days of using an ECDSA certificate, I discovered that as of version 17.4.2.1 the PRTG for Android application cannot connect to the server while it is using an ECDSA certificate. The error is "Handshake failed". Will you send this to the developers, please?

If/when I find out this has been corrected, I will update this thread.

Created on Feb 9, 2018 7:25:52 PM by  pixel1138 (0) 1



Votes:

0

Your Vote:

Up

Down

Hey pixel1138,

Once again, thanks for sharing this. Will forward the information to the dev-team.

Best regards,
Sven

Created on Feb 12, 2018 6:06:22 AM by  Sven Roggenhofer [Paessler Technical Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.