Your certificate's key algorithm decides its speed, size, compatibility, and — increasingly — whether it survives the arrival of quantum computers. Here's a straight comparison.
| Algorithm | Type | Speed | Sig size | Compatibility | Quantum-safe |
|---|---|---|---|---|---|
| RSA 2048 | Classical | Slow keygen, slow sign | 256 B | Universal | ❌ |
| ECDSA P-256 | Classical | Fast | ~64–72 B | Very broad | ❌ |
| Ed25519 | Classical | Very fast | 64 B | Good (modern) | ❌ |
| ML-DSA-65 | Post-quantum | Fast | ~3.3 KB | New / limited | ✅ |
RSA is the safest bet for maximum compatibility: every CA and every client accepts it. Downsides are size and speed — keys and operations are large, and key generation for RSA-4096 takes noticeable time. Use RSA 2048 unless a policy requires 3072/4096.
Elliptic-curve keys give equivalent security to RSA at a fraction of the size (a P-256 key ≈ RSA-3072 in strength). Handshakes are faster and certificates smaller. Compatibility is excellent today. ECDSA P-256 is the best modern default for public TLS.
Ed25519 (EdDSA on Curve25519) is fast, has small fixed-size signatures, and avoids several footguns of ECDSA. Support is widespread in modern stacks but slightly less universal than ECDSA for public CAs. Great for internal services and SSH-adjacent use.
ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium) is NIST's standardized post-quantum signature. Unlike RSA and ECDSA, it is not broken by Shor's algorithm on a quantum computer. The trade-off is larger keys and signatures (kilobytes, not bytes). Public CAs and browsers don't broadly accept PQC certificates yet, but ML-DSA is ideal for internal CAs, testing, and crypto-agility planning now. See post-quantum cryptography for TLS.