Elliptic curve cryptography (ECC) may be preferred over RSA-style encryption in some cases, as it allows it to use much shorter key lengths and makes it faster to generate certificates. CAs which are ECC-enabled can issue both RSA and ECC certificates, using their ECC signing certificate.
Certificate System includes native support for ECC features; the support is enabled by default starting from NSS 3.16. It is also possible to load and use a third-party PKCS #11 module, such as a hardware security module (HSM). To use the ECC module, it must be loaded before the subsystem instance is configured.
Third-party ECC modules must have an SELinux policy configured for them, or SELinux needs to be changed from
enforcing mode to
permissive mode to allow the module to function. Otherwise, any subsystem operations which require the ECC module will fail.
9.1. Loading a Third-Party ECC Module