diff --git a/cmd/utils.go b/cmd/utils.go
index 156f7bb..84dce8f 100644
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -2,6 +2,8 @@ package cmd
 
 import (
 	"bufio"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
@@ -93,6 +95,9 @@ func createSigningCertificate(signerId string) error {
 	}
 
 	signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
+	if nil != err {
+		return err
+	}
 
 	// save cert
 	certFile := signerFile(signerId) + ".crt"
@@ -119,12 +124,15 @@ func createSigningCertificate(signerId string) error {
 
 func createTLSCertificate(host string) error {
 	fmt.Println("Generating TLS keys. This may take a minute...")
-	priv, err := rsa.GenerateKey(rand.Reader, 4096)
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return fmt.Errorf("failed to generate TLS private key:", err)
 	}
 
 	tlsCert, err := reseed.NewTLSCertificate(host, priv)
+	if nil != err {
+		return err
+	}
 
 	// save the TLS certificate
 	certOut, err := os.Create(host + ".crt")
@@ -140,7 +148,11 @@ func createTLSCertificate(host string) error {
 	if err != nil {
 		return fmt.Errorf("failed to open %s for writing: %s", host+".pem", err)
 	}
-	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+	derBytes, err := x509.MarshalECPrivateKey(priv)
+	if nil != err {
+		return err
+	}
+	pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: derBytes})
 	keyOut.Close()
 	fmt.Printf("TLS private key saved to: %s\n", host+".pem")
 
diff --git a/reseed/utils.go b/reseed/utils.go
index aeb11cd..e9d58fe 100644
--- a/reseed/utils.go
+++ b/reseed/utils.go
@@ -1,8 +1,8 @@
 package reseed
 
 import (
+	"crypto/ecdsa"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -33,7 +33,7 @@ func SignerFilename(signer string) string {
 	return strings.Replace(signer, "@", "_at_", 1) + ".crt"
 }
 
-func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
+func NewTLSCertificate(host string, priv *ecdsa.PrivateKey) ([]byte, error) {
 	notBefore := time.Now()
 	notAfter := notBefore.Add(2 * 365 * 24 * time.Hour)
 
@@ -53,8 +53,9 @@ func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
 			Country:            []string{"XX"},
 			CommonName:         host,
 		},
-		NotBefore: notBefore,
-		NotAfter:  notAfter,
+		NotBefore:          notBefore,
+		NotAfter:           notAfter,
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
 
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},