SECURING
CertMgr supports Elliptic Curve Digital Signature Algorithm (ECDSA) using the NIST P-256 and NIST P-384 curves for ACME accounts and for TLS 1.2 host keys (keyring files) generated from either the Let's Encrypt CA or a third-party CA.
ECDSA keys are much shorter than RSA keys of equivalent strength and generally offer improved performance over their RSA equivalents.
A Domino server configured to use an ECDSA keyring file via CertMgr or kyrtool supports the following two TLS 1.2 cipher suites, which are supported by most current browsers and devices:
Why not always use ECDSA instead of RSA? Some within the security industry are concerned about a lack of transparency in how the NIST curves were selected, and so prefer using RSA despite the performance penalty.
ACME accounts
The default setting for new ACME account keys is set to ECDSA NIST P-384 in certstore.ntf. RSA account keys are supported for use with ACME-based CAs that do not support ECDSA account keys. Once you have a registered an ACME account document with a Key ID (KID) and private key, you must create a new ACME account document to switch between ECDSA and RSA.
TLS host keys
The default configuration for new host keys generated by the Let's Encrypt CA or a third-party CA remains 4096 bit RSA. You can change key types and key sizes via key rollover. For more information, see Requesting a key rollover.
Parent topic: Managing TLS certificates with Certificate Manager