All about ECC SSL certificates
ECC, what is it and how does it work?
ECC stands for Elliptic Curve Cryptography.
Using, as suggested by its name, an elliptic curves system, ECC cryptography provides keys way shorter than their RSA counterparts for an equivalent security level.
Both systems are using prime numbers but when RSA uses factoring, ECC does discrete logarithms.
In practice, keys and certificates are working the same way but have different formats.
Why choosing ECC?
Technologic progresses force the industry to regularly increase the minimum length required for RSA keys. The keys currently used must be at least generated in 2048-bit and the ANSSI recommends 4096-bit from 2020. But the key sizes have a significant impact on your equipment performances.
ECC keys, being shorter, enable better performances from compatible servers.
See below the equivalences between ECC and RSA key lengths:
|RSA keys sizes (bits)||ECC keys sizes (bits)|
As the ANSSI recommends a minimum length
How to place an ECC SSL certificate request?
Easy enough. Placing a certificate request for an ECC certificate is the same than for a RSA one. The only difference being that you must provide a CSR in ECC format (see How to generate an ECC CSR with OpenSSL). The system automatically detects the CSR format to issue a corresponding certificate.
Understanding the graphic elements
When placing your oder you see new graphic elements indicating which product is available in ECC format and how they are chained (see below):
- Certificate and certification chain in ECC format
- ECC certificate and certification chain in RSA format
- Certificate and certification chain in RSA format
The certification chains
Comodo EV ECC and Symantec Secure Site Pro ECC certificates have a full ECC certification chain meaning that certificate, intermediate certificates and root certificate are all in ECC format.
Comodo non-EV and TBS X509 products have a crossed certification chain for the time being: the certificate is in ECC format whereas intermediate and root certificates are in RSA format. Those products benefit from a better recognition rate from browsers and servers.
Compatibility with servers/browsers?
As for now, ECC is not well deployed. therefore certificates using this format a less recognized by servers and browsers thant their RSA counterparts. Yet the difference is not so great for certificates using a crossed certification (ECC certificate using a RSA certification chain).
Moreover, even if the certificate is recognized by the brower (root present), it exists the possibility that the browser may not be compatible with th technology.
Those 2 elements must be taken into account when abording the subject of recognition / compatibility.
- TBS INTERNET welcomes ECC products
- ECC certificates comparison charts
- Generate an ECC CSR for Apache with OpenSSL
- Technical limitation of ECC SSL certificates