ssl

SSL/TLS Key Types

Valid for versions 92 through the latest version

Version:

92


Last modified: October 15, 2020

Overview

cPanel & WHM offers users the choice of a preferred key type for SSL/TLS. Currently, you can select from RSA keys or Elliptic Curve Digital Signature Algorithm (ECDSA) keys for your SSL/TLS needs. These keys are currently the two most widely-used and recognized algorithms for SSL/TLS public key signing.

When selecting a key type for your certificates, knowing which best serves your site’s security and performance needs is important.

ECDSA keys versus RSA keys

There are several notable differences between ECDSA and RSA keys:

ECDSA

In general, ECDSA keys are:

RSA

In general, RSA keys are:

  • Well-established and widely-recognized as the industry standard.
  • Required by Certificate Authorities (CA) to be at least 2,048 bits in size.
  • Capable of supporting many older systems and client software.
  • RSA does not support PCI-compliant TLS for IE11 for LiteSpeed Web Servers.

Key length differences

ECDSA keys are shorter in length than RSA keys in bit size, but can provide the same security levels as RSA keys. For example, a 224-bit ECDSA key provides comparable security to a 2,048-bit RSA key.

The following table compares both key types’ key length and strength, in bits:

RSA key length ECDSA key length
1024 160
2048 224
3072 256
7680 384
15360 512

As illustrated above, ECDSA keys scale much better than RSA keys. This can help users with greater security needs effectively secure their servers for less overall size.

Changing your default key type

You can modify your preferred key type in the following interfaces:

In WHM

  • The SSL/TLS Configuration interface (WHM >> Home >> SSL/TLS >> SSL/TLS Configuration).
  • The Security section of the Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).

In cPanel

  • The SSL/TLS interface (cPanel >> Home >> Security >> SSL/TLS).

Additional Documentation