Keypair preferences
A keypair refers to a public key and an associated private key.
To adjust your account settings for keypairs:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to Account > Account settings.
In the Account section, select the edit icon.
In the Keypairs section, you can edit the following account settings related to keypairs:
Field
Description
Require keypair profile to generate keypair
Select this checkbox to require users to select a keypair profile when creating a keypair. What are keypair profiles?
User selection
Select this checkbox to assign individual users to a keypair.
User group selection
Select this checkbox to assign user groups to a keypair. What are user groups?
Algorithms
Select to enable algorithms available to users in your account when creating a keypair:
RSA
Rivest–Shamir–Adleman (RSA) is a widely-used and compatible with various systems and protocols. RSA is a trusted choice for applications requiring broad compatibility and established security practices.
ECDSA
Elliptic Curve Digital Signature Algorithm (ECDSA) is suitable for resource-constrained environments like mobile devices and IoT devices. ECDSA provides strong security with shorter key lengths compared to traditional RSA.
EdDSA
Edwards-curve Digital Signature Algorithm (EdDSA) offers strong resistance against various cryptographic attacks while maintaining efficiency. EdDSA is recommended for applications where security is paramount, such as digital signatures and secure communications.
MLDSA (Quantum-safe)
Module-Lattice-Based Digital Signatures Algorithm (MLDSA) is a quantum-safe approach to cryptographic security. It relies on the difficulty of solving lattice-based problems, which makes it resistant to attacks from quantum computers.
SLHDSA (Quantum-safe)
Secure Lightweight Hash-based Digital Signature Algorithm (SLHDSA) is a quantum-safe approach to cryptographic security. It is designed to offer robust protection with minimal computational overhead. It leverages lightweight hash-based techniques to ensure security while optimizing performance, making it ideal for resource-constrained environments.
Size/Curve
Enable or disable the key sizes or curves available to users in your account when creating a keypair.
The following key sizes are available for RSA algorithms:
2048
A 2048-bit key size is one of the most commonly used key sizes in asymmetric cryptography, particularly in RSA encryption.
3072
A 3072-bit key size provides higher cryptographic strength compared to 2048-bit keys.
4096
A 4096-bit key size offers the highest level of cryptographic security among the RSA options.
Key curve Ed25519 is available for EdDSA.
The following key curves are available for ECDSA algorithms:
P-192
NIST P-192, also known as secp192r1 refers to an elliptic curve defined over a 192-bit prime field.
P-256
NIST P-256, also known as secp256r1 is an elliptic curve defined over a 256-bit prime field. This curve has a higher security level that P-192 due to its longer key length.
P-384
NIST P-384, also known as secp384r1 is an elliptic curve defined over a 384-bit prime field. This curve offers a significantly higher level of security compared to P-256, as it utilizes a longer key length and larger computational parameters.
The following security levels are available for MLDSA algorithms:
MLDSA-44
Represents a cryptographic strength equivalent of at least 128-bit symmetric encryption. This level of security is considered sufficient for many applications requiring strong security, such as protecting sensitive data and communications.
MLDSA-65
Represents a higher cryptographic strength equivalent to at least 192-bit symmetric encryption. Offers increased security margin compared to Security Level 44, making it suitable for applications demanding elevated security requirements.
MLDSA-87
Represents an even higher level of cryptographic strength of at least 256-bit symmetric encryption, surpassing the previous two levels. Equivalent to an even greater bit length in symmetric encryption, further increasing the complexity for potential attackers. Offers the highest level of security among the mentioned levels, suitable for extremely sensitive applications requiring maximum protection against advanced cryptographic attacks.
The following security levels are available for SLHDSA algorithms:
SHA2-128s
Provides a cryptographic strength equivalent to 128-bit symmetric encryption, offering strong protection for general applications.
SHAKE-128s
Offers an equivalent strength of 128-bit symmetric encryption, using SHAKE for flexible security parameters.
SHA2-128f
Similar to SHA2-128s but optimized for faster performance.
SHAKE-128f
Fast variant of SHAKE-128, balancing performance and security.
SHA2-192s
Provides 192-bit symmetric encryption strength, suitable for applications demanding higher security.
SHAKE-192s
Flexible security with 192-bit strength using SHAKE for adjustable output lengths.
SHA2-192f
Fast variant of SHA2-192s, offering higher security with optimized performance.
SHAKE-192f
Fast variant of SHAKE-192, optimized for performance in demanding applications.
SHA2-256s
Offers 256-bit symmetric encryption strength, suitable for highly sensitive applications.
SHAKE-256s
Uses SHAKE for flexible cryptographic output at a 256-bit strength.
SHA2-256f
A faster version of SHA2-256s, providing maximum security with optimized performance.
SHAKE-256f
Fast variant of SHAKE-256, ideal for highly sensitive environments requiring both strong security and high efficiency.
Production key storage
Select to enable storage options available to users in your account when creating a production keypair:
HSM
Disk
Keypair type
Select to enable keypair types available to users in your account when creating a keypair:
Production
Used to sign software released to the public or production environments.
Test
Used to sign software in development or test phases, using short-lived, private certificates.
Nota
Test keypairs expire after a maximum of 30 days.
Enable key rotations
Select this checkbox to allow rotation of 2-10 keys and certificates. Learn more about key rotations.
Enable dynamic keys
Select this checkbox to create dynamic keys. After signing with a dynamic key, these keys are automatically deleted and replaced with a new keypair. Learn more about dynamic keys.
Select Update settings.