In addition to RSA keys, Web Server introduces support for Elliptic Curve Cryptography (ECC).
ECC is emerging as an attractive public-key cryptosystem because compared to traditional cryptosystem like RSA, ECC offers equivalent security with smaller key sizes, which results in faster computations, lower power consumption, and memory and bandwidth savings. Elliptic Curve Cryptography (ECC) has been endorsed by the US government.
It is now possible to select whether you want to generate a certificate request or a self-signed certificate using RSA keys or ECC keys.
For RSA keys different key sizes can be provided (bigger key sizes means better encryption. Default key size is 1024). For ECC keys you should choose the curve the keypair will be generated on. A number of curves have been named by various organizations (ANSI X9.62, NIST, SECG) and Web Server supports all the ones currently specified.
If you intend to request a certificate from a CA (instead of using a self-signed certificate) be sure to contact your preferred CA first to obtain their latest information regarding ECC usage. Ask if they recommend a particular ECC curve for your use case(s). If you do not have guidance on curve selection from your CA or from your organizations internal policies, here are some recommendations. Keep in mind that since ECC is an emerging technology it is possible that curve recommendations for particular use cases may have changed from the time this document was written.
Some supported ECC Curves are listed below:
prime256v1 |
secp256r1 |
nistp256 |
secp256k1 |
secp384r1 |
nistp384 |
secp521r1 |
nistp521 |
sect163k1 |
nistk163 |
sect163r1 |
sect163r2 |
nistb163 |
sect193r1 |
sect193r2 |
sect233k1 |
nistk233k1 |
nistk233 |
sect233r1 |
nistb233 |
sect239k1 |
sect283k1 |
nistk283 |
sect283r1 |
nistb283 |
sect409k1 |
nistk409 |
sect571k1 |
nistk571 |
sect571r1 |
nistb571 |
secp160k1 |
secp160r1 |
secp160r2 |
secp192k1 |
secp192r1 |
nistp192 |
secp224k1 |
secp224r1 |
nistp224 |
prime192v1 |