Hey @neil any chance to take a fresh look at this issue in 2026?
For your argument of performance, as far as I understand it ECDSA keys are less computationally intensive than RSA 4096+ keys.
Letsencrypt also suggests a setup that runs dual certificates based on client capabilities. Which makes me think would work around the issue nicely as well.
[…] Our recommendation is to serve a dual-cert config, offering an RSA certificate by default, and a (much smaller) ECDSA certificate to those clients that indicate support.