3.6 Signatures & Key Algorithms

Cryptographic specifications, supported public key algorithms, and our Post-Quantum Cryptography (PQC) readiness.

Web PKI relies on robust asymmetric cryptography to establish trust and secure communications. CertKit supports modern, industry-standard key types and signature algorithms to ensure maximum security, speed, and backward compatibility.

This page outlines the cryptographic configurations supported by CertKit and our roadmap for Post-Quantum Cryptography (PQC).

Supported Key Algorithms

When creating a certificate in CertKit, you can select from several key algorithms under the Advanced fields:

1. Elliptic Curve Digital Signature Algorithm (ECDSA)

ECDSA is the recommended default for almost all modern infrastructure:

  • EC256 (Default): Utilizes the NIST P-256 curve. Highly optimized, providing equivalent security to a 3072-bit RSA key with significantly smaller key size and lower CPU consumption during TLS handshakes.
  • EC384: Utilizes the NIST P-384 curve. Ideal for strict organizational security policies demanding larger cryptographic margins.

2. Rivest-Shamir-Adleman (RSA)

RSA remains the fallback standard for maximum compatibility:

  • RSA2048: Compatible with virtually 100% of legacy operating systems, hardware load balancers, and embedded devices.
  • RSA4096: Meets strict government and compliance standards demanding 4096-bit key lengths, though at the cost of slower signing operations and larger packet size.

Post-Quantum Cryptography (PQC)

Classical asymmetric encryption algorithms (such as RSA and ECDSA) are theoretically vulnerable to decryption by future quantum computers running Shor’s algorithm. To proactively mitigate this threat, the industry is transitioning to quantum-resistant standards.

CertKit’s cloud storage, cross-platform agents, and database schemas are built on principles of cryptographic agility to support seamless transitions as CAs begin deploying post-quantum material.

To read about our support roadmap for hybrid (dual-signature) certificates, NIST standards, and Let’s Encrypt post-quantum certificates, see our dedicated section on Post-Quantum Cryptography (PQC).