RSA vs ECDSA: what's the difference when used to sign a certificate?
Quick Answer
Both RSA and ECDSA can sign a certificate to prove who owns it — this is a separate job from RSA/ECDHE key exchange. ECDSA gives the same signature strength as RSA with a much smaller key and faster signing, which is why it's increasingly the default for new certificates. RSA certificates remain extremely common too, mostly for broad compatibility with older clients.
Detailed Answer
It's easy to mix up two separate jobs that RSA and elliptic-curve cryptography can both do in TLS:
- Key exchange — agreeing on a shared secret (covered by RSA key exchange vs ECDHE, in an earlier question).
- Signing — proving ownership of a private key, used to sign certificates (RSA vs ECDSA).
This question is about the second job: which algorithm signs the certificate itself.
| RSA signatures | ECDSA signatures | |
|---|---|---|
| Typical key size for similar security | 2048–4096 bits | 256–384 bits |
| Signing speed | Slower | Faster |
| Certificate/handshake size | Larger | Smaller |
| Client compatibility | Universally supported, even by very old clients | Supported by all modern clients; rare old clients may lack support |
A certificate's signature algorithm is decided when the certificate is created. It is independent from the key-exchange method the connection ends up using. A certificate signed with ECDSA can still be used in a connection that negotiates ECDHE for key exchange. These are two different algorithms doing two different jobs — they just happen to share the same underlying "EC" (elliptic curve) math.
- In practice, many sites offer both an RSA and an ECDSA certificate for the same domain, and let the server pick whichever the connecting client supports and prefers.