SSL Key Requirements
Overview
The WAF requires RSA-based SSL certificates. ECDSA (also known as ECC or Elliptic Curve) keys are not supported. If you are providing your own SSL certificate or generating a CSR (Certificate Signing Request), you must use an RSA key.
Why RSA Only?
The WAF infrastructure uses RSA keys for SSL/TLS termination. While ECDSA keys offer some performance advantages, RSA keys provide the broadest compatibility across the WAF’s edge network and are required for the certificate installation process.
Key Size Requirements
- Minimum: 2048-bit RSA key
- Recommended: 2048-bit RSA key (larger key sizes like 4096-bit are supported but provide minimal additional security while increasing handshake time)
How to Check Your Key Type
Check an Existing Certificate
openssl x509 -in your-certificate.crt -text -noout | grep "Public Key Algorithm"
- RSA: You will see
rsaEncryption— this is compatible - ECDSA: You will see
id-ecPublicKey— this is not compatible
Check a Private Key
openssl rsa -in your-key.pem -check 2>/dev/null && echo "RSA key" || echo "Not an RSA key"
Check a CSR
openssl req -in your-csr.csr -text -noout | grep "Public Key Algorithm"
What to Do If You Have an ECC Key
If your current certificate uses an ECDSA/ECC key, you need to generate a new RSA key and obtain a new certificate:
Generate a New RSA Key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
You will be prompted to enter your domain information. The most important field is the Common Name (CN), which should be your domain name (e.g., example.com or *.example.com for a wildcard).
Obtain a New Certificate
Use the generated CSR to request a new certificate from your certificate authority. If you are using the WAF’s built-in certificate management (most customers), the WAF handles certificate generation automatically using RSA keys — no action is needed on your part.
Automatic Certificates
Most WAF customers use the automatically issued and renewed certificates provided by the WAF. These certificates:
- Are RSA-based (no action needed)
- Are issued and renewed automatically
- Cover your domain and
wwwsubdomain - Use the GoDaddy/Starfield certificate authority
If you are using automatic certificates, you do not need to worry about key type requirements — it is handled for you.
Need Help?
If you are unsure about your key type or need help with certificate installation:
- Contact us at support@expeditedsecurity.com
- Book a Call at https://app.harmonizely.com/expedited/30-min