Recommendation
Leave Use the system’s default key type selected. It’s the option flagged Recommended and Current in the UI. The system default tracks what cPanel and the broader CA ecosystem consider safe and compatible right now (currentlyRSA, 2,048-bit on Noxity); we keep it in sync with industry guidance, you don’t need to think about it.
The other choices
Pick one of these only if you have a specific reason:| Option | When to choose it |
|---|---|
| RSA, 2,048-bit | The current system default. Universal compatibility, fast enough for any plausible workload. |
| ECDSA, P-384 (secp384r1) | Smaller and faster keys with stronger curve. Compatible with every modern browser and CA. |
| ECDSA, P-256 (prime256v1) | Same family, smaller. Good default if you want ECDSA without the slight overhead of P-384. |
| RSA, 4,096-bit | More conservative than 2048. Slower handshakes; pick only if your compliance regime demands it. |
Save the setting
Click Save. The change is account-wide and persists across logins. To revert, return to this tab and re-select Use the system’s default key type.Common issues
A CA rejected my ECDSA CSR
A CA rejected my ECDSA CSR
Some commercial CAs charge extra for ECDSA, some still default to RSA-only on certain product tiers. If the CA refuses, generate an RSA key + CSR for that one cert; you don’t have to change the account-wide default.
I switched to RSA 4,096 and TLS handshakes are slower
I switched to RSA 4,096 and TLS handshakes are slower
Expected. RSA 4096 has roughly 4x the signing work per handshake. Most servers don’t notice; high-traffic origins do. ECDSA P-256 is the better fit if your concern is performance.