Using custom ECC certificate causes site available via TLS 1.3 only

I have deployed ECC certificate on my domain hosted on Netlify but after I test my site using Qualys SSL Lab, I can see my site only available via TLS 1.3 only.

This issue causes browser that not support TLS 1.3 not able to access the site.

Could you please help check on this issue ?

Hi, @chinkung. This is a custom certificate you uploaded and we cannot make changes to it.

If you want to change the SSL certificate you will need to do so by uploading a different certificate. If there are other questions about this, please let us know.

So you mean that Netlify only support RSA custom certificate in order to make it works with TLS 1.2 ?

Hi @luke. I just replace certificate using RSA one and it is working.

So this is Netlify platform limitation that can accept only RSA certificate.

Could you please mention this in custom certificate document that custom certificate need to be RSA only?

Great suggestion! We’ll work on that with our docs team. I’m not sure if it is truly “RSA only” or if it’s instead “symmetrical cryptography only” so we’ll work with our team to understand and update the docs appropriately.

Hi @fool,

From what I observe, I found main Non-SNI certificate is RSA ( and webserver obey the main certificate and use SSL ciphers suite signed with RSA (ECDHE-RSA-) for TLS version lower then 1.3 which cause ECC certificate which requires ECC cipher suite signed with ECDSA (ECDHE-ECDSA-*) not working with TLS version lower then 1.3

If your SSL termination server is nginx, install Hybrid Non-SNI RSA and ECDSA certificates might solve this problem.

Thanks for that follow-up! Our developers will look at your reports and work with us to improve the docs or advise in case they think that an ECC cert should work better :slight_smile:

Hi @chinkung,

We only recently started supporting ECDSA ciphers in our CDN infrastructure. In the past we only supported RSA (but didn’t document that anywhere, sorry!).

The rollout of the new ciphers finished around end of the year, so can you maybe try the custom cert again and let us know how it goes?
I recently tested a LetsEncrypt-issued ECDSA cert with SSL Labs and it showed the expected support.