A virtual service may be configured with Elliptic Curve (EC) and RSA certificates to support clients of each type.

When a virtual service is configured with both EC and RSA certificates, Avi Load Balancer will prioritize the EC certificates.

• If a client supports ciphers from only one certificate type, Avi Load Balancer uses that certificate type.

• If the client supports ciphers for both certificates and the virtual service is configured with both certificates, then the EC certificate will be chosen.

The priority of EC over RSA is not configurable. Avi Load Balancer prefers EC over RSA due to EC’s significantly faster performance with handshake negotiation. On average, processing for ECC is about four times less CPU-intensive than RSA.

EC also tends to provide significantly higher security. A 256-bit EC certificate (the minimum length supported) is roughly equivalent to a 3k RSA certificate. EC cryptography enables Perfect Forward Secrecy (PFS) with significantly less overhead.