diff --git a/CHANGES b/CHANGES
index c6faa483e..8dc5ddada 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1912,3 +1912,6 @@
 [5.1.5]
 * Check for .well-known routes upstream as fallback. This broke nextcloud's caldav/carddav
 
+[5.2.0]
+* acme: request ECC certs
+
diff --git a/src/cert/acme2.js b/src/cert/acme2.js
index 38a4580fc..dcf7fba43 100644
--- a/src/cert/acme2.js
+++ b/src/cert/acme2.js
@@ -332,7 +332,7 @@ Acme2.prototype.createKeyAndCsr = function (hostname, callback) {
         // in some old releases, csr file was corrupt. so always regenerate it
         debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
     } else {
-        var key = safe.child_process.execSync('openssl genrsa 4096');
+        var key = safe.child_process.execSync('openssl ecparam -genkey -name secp384r1'); // openssl ecparam -list_curves
         if (!key) return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error));
         if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new BoxError(BoxError.FS_ERROR, safe.error));