Most sites on the internet right now use 2048 bit RSA. However that's where RSA tends to end: when sites move to stronger certificates they generally pick ECC (i.e. ECDSA) over 2048 bit RSA. Few CAs provide 4096 bit RSA keychains, and a 4096 bit RSA key signed by a 2048 bit RSA intermediary doesn't make a lot of sense.
That's because ECC is faster than older style RSA keys. On mobile devices the reduced CPU usage when making new HTTPS connections with ECC keys also means better battery life than their RSA equivalents. Modern CDNs like CloudFlare use ECC as default.
With CertSimple, we'll create a small, custom bash/powershell script that instantly makes an ECC keypair using the P-256 curve.
As of May 17th 2017, here's the curves supported by the major browsers:
Safe curves on the way
You'll notice x25519 is supported in 3 of the 4 major browsers. Curve 25519 is one of the 'safe curves' - easier to implement in software and therefore less prone to buggy implementations than other curves. You can't get a Curve 25519 cert signed by a CA at the moment, but there's a draft for curve 25519 use in TLS and once that's approved the Baseline Requirements created by the CA/Browser forum will likely add 25519 as an approved curve.
CertSimple defaulted to ECC in July 2016. So after nearly a year we have a good idea about the current state of ECC in the wild.
At the time of publishing, you'll want to use an RSA key for both 'Heroku SSL' and 'SSL Endpoint' services:
Heroku DevCenter mentions:
Heroku only supports RSA keys for certs. Elliptic curve (ECC) keys are not supported.
We reached out to Heroku and they confirmed they're working on fixing this.
Amazon CloudFront and Amazon Certificate Manager
The Amazon CloudFront Developer Guide mentions:
CloudFront supports only RSA public/private key pairs.
Likewise AWS Certificate Manager FAQ:
Q: Does ACM support elliptic curve (ECDSA) certificates?
Not at this time.
Amazon staff have also privately confirmed ECC support is being worked on.
Out of date F5 load balancers
However F5s are frequently used by enterprises that, through a fundamental misunderstanding of risk - that there is risk of change but no risk of stasis - don't upgrade their software frequently. If you're intending to terminate on an F5 appliance make sure it's up to date before using an ECC cert.
If you know other HTTTPS terminators that still don't yet work with ECC let us know and we'll update this document.