Resolution

Replace the RSA certificate associated with the virtual service with the Elliptic Curve (EC) certificate. Using an RSA certificate instead of an ECC certificate lowers the SSL Labs test grading for the following reasons:

• ECC certificates are more secure than RSA certificates.

• ECC uses a smaller algorithm to generate ECC keys that are stronger than RSA keys.

RSA is considered less secure than ECC but is more compatible with a broader array of older browsers. ECC is newer, less computationally expensive, and generally more secure; however, it is not yet accepted by all clients (web browsers).

Avi Load Balancer allows a virtual service to be configured with two certificates simultaneously, one of RSA and one ECC. This allows the Avi Load Balancer to negotiate the optimal algorithm or cipher with the client. If the client supports the EC certificate, Avi Load Balancer prefers Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA provides the additional benefit of supporting Perfect Forward Secrecy (PFS). PFS brings better security for a virtual service at a minimum additional computational cost.

For more information on SSL certificates on Avi Load Balancer, see SSL Certificates.