Every SSL certificate is built around a key pair, and before you can even generate the CSR you have to answer one question: RSA or ECC? Most people click whatever the form defaults to and never think about it again. That's a shame, because the choice affects your handshake size, your server's CPU bill, and which ancient clients can still reach you — and because the honest answer in 2026 is different from what it was ten years ago. This guide compares the two algorithms on the things that actually differ.
In short
For a public website in 2026, ECC (an ECDSA P-256 key) is the better default: smaller, faster, equally trusted, and stronger per bit than RSA-2048. Choose RSA when you have to support genuinely old clients — think pre-4.x Android, XP-era Windows, legacy Java — or when a compliance document says RSA and arguing with it costs more than complying. The certificate itself costs the same either way; only the key in your CSR changes.
The comparison at a glance
ECC (ECDSA) | RSA | |
|---|---|---|
| Typical key | P-256 (256-bit) | 2048-bit |
| Security strength | ~128-bit (P-256) | ~112-bit (2048) |
| Signature size | ~70 bytes | 256 bytes (2048-bit) |
| Server signing speed | Fast | Much slower per handshake |
| Client support | All modern clients | Effectively everything ever made |
| CA/B Forum status | P-256, P-384, P-521 allowed | ≥2048-bit allowed |
| Quantum-resistant | No | No |
| Certificate price | Same product, same price | Same product, same price |
What the key actually does
A quick grounding, because the marketing around "encryption strength" muddies this. In a modern TLS connection, your certificate's key pair doesn't encrypt your traffic at all — the session itself is encrypted with symmetric keys (AES or ChaCha20) negotiated fresh for every connection via an ephemeral key exchange. Your certificate's key does one job: it signs. The server proves it owns the certificate by signing part of the handshake, and the client verifies that signature against the public key in the certificate. RSA and ECDSA are simply two different mathematical ways of doing that signature — RSA built on the difficulty of factoring large integers, ECC on the difficulty of the elliptic-curve discrete logarithm problem.
That's why the choice changes nothing about how strongly your visitors' data is encrypted, and why an "ECC certificate" and an "RSA certificate" are the same product with a different key inside. If the handshake mechanics are fuzzy, our walkthrough of how SSL works and the changes in TLS 1.3 cover it in detail.
Security: bits aren't bits
A 256-bit ECC key sounds weaker than a 2048-bit RSA key. It's the opposite. Key length only means something relative to the best known attack against the algorithm, and the attacks against RSA (integer factoring) are far more efficient than the attacks against elliptic curves. NIST's key-management guidance (SP 800-57) translates both into a common currency called security strength:
| Security strength | RSA key needed | ECC curve needed |
|---|---|---|
| 112-bit | 2048-bit | — |
| 128-bit | 3072-bit | P-256 |
| 192-bit | 7680-bit | P-384 |
Read the table from left to right and the pattern is brutal for RSA: to match what P-256 does in 256 bits, RSA needs 3072 — and to match P-384, an absurd 7680-bit key nobody deploys. This is what "more security per bit" means concretely. The standard ECC choice (P-256) is a full strength class above the standard RSA choice (2048), and that gap is the reason NIST's transition guidance puts a nearer expiry date on RSA-2048 than on P-256 or P-384.
What the table doesn't say also matters: both columns are fine today. No published attack comes anywhere near breaking RSA-2048 or P-256 classically, and certificates now live 199 days at most, so a key only has to hold up for months, not decades. Nobody should switch algorithms out of fear; the practical wins live in the next two sections.
Performance and handshake size
Here ECC simply wins, twice. First, size: an ECDSA P-256 signature is around 70 bytes, while an RSA-2048 signature is 256 bytes — and a certificate carries its public key too, where the difference is even larger (a P-256 public key is 65 bytes; an RSA-2048 key with its encoding is several times that). Multiply across a certificate chain and an ECC handshake ships hundreds of bytes less. On a fast connection nobody notices; on mobile networks, at the edge, or at millions of handshakes a day, it adds up.
Second, CPU: signing is the expensive operation a server does on every full handshake, and ECDSA P-256 signing is dramatically faster than RSA-2048 signing — run openssl speed rsa2048 ecdsap256 on your own hardware and watch the sign-operations column. RSA's one consolation is that verification is cheaper than ECDSA's, which mattered more in the era of slow client hardware; for the server you're paying for, ECC is the lighter load. Moving from RSA-2048 to RSA-4096 makes the slow side much slower again, which is why "just use a bigger RSA key" is usually the wrong instinct — if you want more margin than RSA-2048, P-256 or P-384 gets you there while making your servers faster, not slower.
The ecosystem has voted with its defaults: Certbot, the most widely used ACME client, has issued ECDSA (P-256) certificates by default since version 2.0, and large CDNs have served ECC certificates to modern clients for years.
Compatibility: the real RSA argument
RSA's trump card is age. It has been in every TLS stack since the 1990s, so an RSA certificate works with effectively every client ever shipped. ECDSA support arrived later, and while every current browser and OS handles P-256 and P-384 without complaint, the long tail does not: Windows XP-era clients, Android before 4.x, old Java runtimes, and assorted embedded devices, payment terminals, and set-top boxes that will never be updated. If a client without ECDSA support hits an ECC-only server, the handshake fails outright — there's no graceful downgrade within a single certificate.
Whether that matters depends entirely on your audience. A consumer web app can treat ECDSA-incapable clients as a rounding error in 2026. A B2B API consumed by enterprise Java services, or anything talking to industrial or point-of-sale hardware, should check its client logs before switching. And there's a clean middle path: serve both. Nginx, Apache, and most load balancers accept an ECC and an RSA certificate side by side for the same hostname and pick per connection based on what the client advertises — modern clients get the fast ECC handshake, relics get RSA. The cost is maintaining two certificates and two keys, which automation makes tolerable.
What the rules allow (and when they end)
Publicly-trusted certificates can't contain just any key. The CA/Browser Forum's Baseline Requirements permit exactly two families: RSA at 2048 bits or longer, and ECDSA on the NIST curves P-256, P-384, or P-521. That's the whole menu — a 1024-bit RSA key will be rejected by every CA, and fashionable algorithms like Ed25519, however good their engineering reputation, are not currently allowed in publicly-trusted TLS certificates at all. Within the menu, the choice is yours: validation level, wildcard coverage, and price are all independent of the key algorithm in your CSR.
Both families also share an expiry date, at least on paper. NIST's draft transition roadmap (IR 8547) deprecates algorithms at the 112-bit security level — RSA-2048's class — after 2030, and disallows quantum-vulnerable algorithms, which means all of RSA and ECC, after 2035 in NIST-governed contexts. The replacements are the ML-DSA and ML-KEM standards finalized in 2024. None of this changes what you should order this quarter, but it frames the decision honestly: ECC vs RSA is a question about the next few years, not the next decade. Our post-quantum cryptography guide covers what comes after both.
Generating an ECC or RSA CSR
The algorithm is fixed the moment you generate the key pair, before the CA is even involved. With OpenSSL, the two paths look like this:
# ECC: P-256 key (OpenSSL calls it prime256v1), then the CSR
openssl ecparam -name prime256v1 -genkey -noout -out private.key
openssl req -new -key private.key -out request.csr
# RSA: 2048-bit key and CSR in one command
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csrUse secp384r1 in place of prime256v1 for a P-384 key. From there, ordering works identically for both: submit the CSR, complete validation, install the issued certificate alongside your private key. Our CSR generation guide walks through the order form step by step, the OpenSSL cheat sheet has the full command reference, and the free SSL tools include a CSR generator and decoder if you'd rather not touch a terminal.
One operational note: when you renew or reissue, generate a fresh key rather than reusing the old one. Short renewal cycles make key rotation nearly free, and a renewal is also the natural, zero-drama moment to switch algorithms — nothing about moving from RSA to ECC requires downtime.
Which one should you use?
- Public website, app, or API serving modern clients? → ECC P-256. Smaller handshakes, lighter server load, stronger per bit, no downsides your users will ever encounter.
- Serving legacy clients you don't control — old Android, embedded hardware, ancient Java? → RSA-2048, or better, a dual ECC + RSA setup so only the relics pay the RSA tax.
- A compliance or procurement document mandates RSA? → RSA-2048 (or RSA-3072 if it names a strength above 112-bit). This fight is rarely worth having.
- Tempted by RSA-4096 "for extra security"? → Use P-256 or P-384 instead; you get the stronger key without making every handshake slower.
- Whichever key you choose, the certificate products are the same — if you're unsure about the validation level rather than the algorithm, our certificate chooser sorts that out, and current pricing applies equally to ECC and RSA orders.