picture of tbs certificates
picture of tbs certificates
Our products range

All about ECC SSL certificates

ECC, what is it and how does it work?

ECC stands for Elliptic Curve Cryptography.

Using, as suggested by its name, an elliptic curves system, ECC cryptography provides keys way shorter than their RSA counterparts for an equivalent security level.

Both systems are using prime numbers but when RSA uses factoring, ECC does discrete logarithms.

In practice, keys and certificates are working the same way but have different formats.

Why choosing ECC?

Technologic progresses force the industry to regularly increase the minimum length required for RSA keys. The keys currently used must be at least generated in 2048-bit and the ANSSI recommends 4096-bit from 2020. But the key sizes have a significant impact on your equipment performances.

ECC keys, being shorter, enable better performances from compatible servers.

See below the equivalences between ECC and RSA key lengths:

RSA keys sizes (bits) ECC keys sizes (bits)
1024 160
2048 224
3072 256
7680 384
15360 521

ANSSI's recommendations

As the ANSSI recommends a minimum length

How to place an ECC SSL certificate request?

Easy enough. Placing a certificate request for an ECC certificate is the same than for a RSA one. The only difference being that you must provide a CSR in ECC format (see How to generate an ECC CSR with OpenSSL). The system automatically detects the CSR format to issue a corresponding certificate.

Understanding the graphic elements
When placing your oder you see new graphic elements indicating which product is available in ECC format and how they are chained (see below):

  • Certificate and certification chain in ECC format
  • ECC certificate and certification chain in RSA format
  • Certificate and certification chain in RSA format

The certification chains

Sectigo EV ECC certificates have a full ECC certification chain meaning that certificate, intermediate certificates and root certificate are all in ECC format.

Sectigo non-EV and TBS X509 products have a crossed certification chain for the time being: the certificate is in ECC format whereas intermediate and root certificates are in RSA format. Those products benefit from a better recognition rate from browsers and servers.

Compatibility with servers/browsers?

As for now, ECC is not well deployed. therefore certificates using this format a less recognized by servers and browsers thant their RSA counterparts. Yet the difference is not so great for certificates using a crossed certification (ECC certificate using a RSA certification chain).

Moreover, even if the certificate is recognized by the brower (root present), it exists the possibility that the browser may not be compatible with th technology.

Those 2 elements must be taken into account when abording the subject of recognition / compatibility.

Consult browsers' compatibility with ECC certificates.

Useful links