Use same key type for GUI cert as Issuing CA cert (#138)

When creating the domain key for the GUI certificate, use the same key
type (RSA or ECDSA) as the Issuing CA.

commander

@@ -51,7 +51,15 @@ case $txt in
     wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
     cd /etc/nginx/ssl
     [ -e account.key ] || openssl genrsa 4096 > account.key
-    [ -e labca_key.pem ] || openssl genrsa 4096 > labca_key.pem
+    [ ! -f labca_key.pem ] || mv labca_key.pem labca_key_rsa.pem
+    [ -e labca_key_rsa.pem ] || openssl genrsa 4096 > labca_key_rsa.pem
+    [ -e labca_key_ecdsa.pem ] || openssl ecparam -name secp384r1 -genkey -out labca_key_ecdsa.pem
+
+    set +e
+    curve_count=$(openssl pkey -pubin -in /opt/boulder/labca/test-ca.pubkey.pem -text | grep -i curve | wc -l)
+    set -e
+    [ "$curve_count" == "0" ] && ln -sf labca_key_rsa.pem labca_key.pem || /bin/true
+    [ "$curve_count" != "0" ] && ln -sf labca_key_ecdsa.pem labca_key.pem || /bin/true
 
     if [ -e labca_cert.pem ]; then
         if [ ! -e domain.csr ]; then
@@ -75,7 +83,16 @@ case $txt in
 "acme-change")
     read fqdn
     cd /etc/nginx/ssl
-    openssl genrsa 4096 > labca_key.pem
+    [ ! -f labca_key.pem ] || mv labca_key.pem labca_key_rsa.pem
+    [ -e labca_key_rsa.pem ] || openssl genrsa 4096 > labca_key_rsa.pem
+    [ -e labca_key_ecdsa.pem ] || openssl ecparam -name secp384r1 -genkey -out labca_key_ecdsa.pem
+
+    set +e
+    curve_count=$(openssl pkey -pubin -in /opt/boulder/labca/test-ca.pubkey.pem -text | grep -i curve | wc -l)
+    set -e
+    [ "$curve_count" == "0" ] && ln -sf labca_key_rsa.pem labca_key.pem || /bin/true
+    [ "$curve_count" != "0" ] && ln -sf labca_key_ecdsa.pem labca_key.pem || /bin/true
+
     openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$fqdn")) > domain.csr
     url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
     wait_server $url