1.1.1 Use Strong Private Keys
For the certificate private key, you have a choice of RSA or ECDSA algorithms. The easy option is to use RSA keys because they are universally supported. But at 2,048 bits, which is the current minimum, RSA keys offer less security and worse performance than ECDSA keys. A 256-bit ECDSA key provides 128 bits of security, versus only 112 bits for a 2,048-bit RSA key. At these sizes, in addition to providing better security, ECDSA is also significantly faster.
By now, ECDSA is very widely supported. Devices that don’t support it are rare and probably obsolete from a security perspective. If you’re still concerned about interoperability, it’s possible to deploy services with dual certificates, thus supporting RSA and ECDSA keys simultaneously. The only disadvantage of this setup is the increased maintenance overhead. Some managed providers can do this automatically for you.
Until recently, ECDSA was thought to be the algorithm of the future, but that all changed when the world decided to embark on a path to post-quantum cryptography. Both RSA and ECDSA can be broken by a cryptographically relevant quantum computer (CRQC). A variety of replacement options are being considered, but it will be some time before the successors are decided.