RSA vs ECDSA vs Ed25519 vs ML-DSA: which key should you use?

Your certificate's key algorithm decides its speed, size, compatibility, and — increasingly — whether it survives the arrival of quantum computers. Here's a straight comparison.

At a glance

AlgorithmTypeSpeedSig sizeCompatibilityQuantum-safe
RSA 2048ClassicalSlow keygen, slow sign256 BUniversal
ECDSA P-256ClassicalFast~64–72 BVery broad
Ed25519ClassicalVery fast64 BGood (modern)
ML-DSA-65Post-quantumFast~3.3 KBNew / limited

RSA — the universal default

RSA is the safest bet for maximum compatibility: every CA and every client accepts it. Downsides are size and speed — keys and operations are large, and key generation for RSA-4096 takes noticeable time. Use RSA 2048 unless a policy requires 3072/4096.

ECDSA — small and fast

Elliptic-curve keys give equivalent security to RSA at a fraction of the size (a P-256 key ≈ RSA-3072 in strength). Handshakes are faster and certificates smaller. Compatibility is excellent today. ECDSA P-256 is the best modern default for public TLS.

Ed25519 — the modern favorite

Ed25519 (EdDSA on Curve25519) is fast, has small fixed-size signatures, and avoids several footguns of ECDSA. Support is widespread in modern stacks but slightly less universal than ECDSA for public CAs. Great for internal services and SSH-adjacent use.

ML-DSA — the quantum-resistant future

ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium) is NIST's standardized post-quantum signature. Unlike RSA and ECDSA, it is not broken by Shor's algorithm on a quantum computer. The trade-off is larger keys and signatures (kilobytes, not bytes). Public CAs and browsers don't broadly accept PQC certificates yet, but ML-DSA is ideal for internal CAs, testing, and crypto-agility planning now. See post-quantum cryptography for TLS.

Our recommendation

Generate any of these with PQCert →

Related guides

How to generate a CSR Post-quantum cryptography for TLS Is my website quantum-safe?