Elliptic curve certificates are much smaller, leading to faster TLS handshakes. They are also considered more secure in comparison to RSA certificates. This should speed up loading secure websites on most client devices.

We will generate/request EC 384 certificates with key exchange cipher ECDH secp384r1 and request signature using SHA384. This is currently the maximum for best browser compatiblity. The resulting certificate will provide much better encryption and authentication compared to your usual RSA 4096/SHA256 combo.

In the following examples, certificates are requested with a SHA384 secure hash signature, however Let's Encrypt currently enforces a limit of SHA256 which will be applied to your requests. Once the limit is lifted, the following requests should be honored with SHA384.

openssl req -x509 -nodes -days 3650 -sha384 -newkey ec:<(openssl ecparam -name secp384r1) -keyout ecdsakey.pem -out ecdsacert.pem
openssl ec -in ecdsakey.pem -noout -text
openssl req -new -key ecdsakey.pem -nodes -subj "/CN=example.com" -sha384 -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com')) -out csr.pem -outform pem
certbot certonly --webroot -n --server "https://acme-v02.api.letsencrypt.org/directory" --domain "example.com" --csr csr.pem

When using a recent Certbot version, it is no longer necessary to request an EC certificate using a CSR, so this is the easier solution:

certbot certonly --webroot --key-type ecdsa --elliptic-curve secp384r1 -n -d example.com -d www.example.com --server "https://acme-v02.api.letsencrypt.org/directory"

Is it worth it yet? All currently supported operating systems and web browsers will work with EC certificates. Backwards compatibility is also good enough. Let this speak for itself: SSLLabs Survey: www.chotaire.net.