> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Settings

> Default key type for new SSL/TLS certificates and CSRs. Recommended: leave on the system default.

The Settings tab has one option: the default key type cPanel uses when generating a new SSL/TLS certificate or CSR. Once set, the [Wizard](/web-hosting/cpanel/security-settings/ssl-tls-certificates/wizard), [Certificates](/web-hosting/cpanel/security-settings/ssl-tls-certificates/certificates) generator, [Keys](/web-hosting/cpanel/security-settings/ssl-tls-certificates/keys), and [Requests](/web-hosting/cpanel/security-settings/ssl-tls-certificates/requests) flows all start with this type pre-selected.

Open it from cPanel home → **Security** → **SSL/TLS Certificates** → **Settings**.

<Frame caption="Settings tab with the Default SSL/TLS Key Type radio buttons">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/ssl-tls-certificates/settings/listing-light.png" alt="Settings tab with the system default selected" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/ssl-tls-certificates/settings/listing-dark.png" alt="Settings tab with the system default selected" className="hidden dark:block" />
</Frame>

## Recommendation

Leave **Use the system's default key type** selected. It's the option flagged **Recommended** and **Current** in the UI. The system default tracks what cPanel and the broader CA ecosystem consider safe and compatible right now (currently `RSA, 2,048-bit` on Noxity); we keep it in sync with industry guidance, you don't need to think about it.

## The other choices

Pick one of these only if you have a specific reason:

| Option                    | When to choose it                                                                               |
| ------------------------- | ----------------------------------------------------------------------------------------------- |
| RSA, 2,048-bit            | The current system default. Universal compatibility, fast enough for any plausible workload.    |
| ECDSA, P-384 (secp384r1)  | Smaller and faster keys with stronger curve. Compatible with every modern browser and CA.       |
| ECDSA, P-256 (prime256v1) | Same family, smaller. Good default if you want ECDSA without the slight overhead of P-384.      |
| RSA, 4,096-bit            | More conservative than 2048. Slower handshakes; pick only if your compliance regime demands it. |

The dropdown takes effect on **new** certs and CSRs you generate after saving. Existing certs and keys are unchanged.

## Save the setting

Click **Save**. The change is account-wide and persists across logins. To revert, return to this tab and re-select **Use the system's default key type**.

## Common issues

<AccordionGroup>
  <Accordion title="A CA rejected my ECDSA CSR">
    Some commercial CAs charge extra for ECDSA, some still default to RSA-only on certain product tiers. If the CA refuses, generate an RSA key + CSR for that one cert; you don't have to change the account-wide default.
  </Accordion>

  <Accordion title="I switched to RSA 4,096 and TLS handshakes are slower">
    Expected. RSA 4096 has roughly 4x the signing work per handshake. Most servers don't notice; high-traffic origins do. ECDSA P-256 is the better fit if your concern is performance.
  </Accordion>
</AccordionGroup>

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>