RSA vs ECDSA: what's the difference when used to sign a certificate?

4 minintermediatersaecdsacertificatesdigital-signature

Quick Answer

Both RSA and ECDSA can sign a certificate to prove who owns it — this is a separate job from RSA/ECDHE key exchange. ECDSA gives the same signature strength as RSA with a much smaller key and faster signing, which is why it's increasingly the default for new certificates. RSA certificates remain extremely common too, mostly for broad compatibility with older clients.

Detailed Answer

It's easy to mix up two separate jobs that RSA and elliptic-curve cryptography can both do in TLS:

  • Key exchange — agreeing on a shared secret (covered by RSA key exchange vs ECDHE, in an earlier question).
  • Signing — proving ownership of a private key, used to sign certificates (RSA vs ECDSA).

This question is about the second job: which algorithm signs the certificate itself.

RSA signaturesECDSA signatures
Typical key size for similar security2048–4096 bits256–384 bits
Signing speedSlowerFaster
Certificate/handshake sizeLargerSmaller
Client compatibilityUniversally supported, even by very old clientsSupported by all modern clients; rare old clients may lack support

A certificate's signature algorithm is decided when the certificate is created. It is independent from the key-exchange method the connection ends up using. A certificate signed with ECDSA can still be used in a connection that negotiates ECDHE for key exchange. These are two different algorithms doing two different jobs — they just happen to share the same underlying "EC" (elliptic curve) math.

  • In practice, many sites offer both an RSA and an ECDSA certificate for the same domain, and let the server pick whichever the connecting client supports and prefers.