There are many elliptic-curves to choose from, some are safer than others see SafeCurves: choosing safe curves for elliptic-curve cryptography. But the CA/Browser Forum also limits the elliptic-curve choices.

NIST P-256 (secp256r1) and NIST P-384 (secp384r1) are not the safest NIST P-521 (secp521r1) isn't shown in the list, but there are worse ones. I personally choose x448, x25519, secp521r1, secp384r1 (server preferred order).

Now Certificates For ECDSA key pairs, the CA SHALL:

• Ensure that the key represents a valid point on the NIST P‐256, NIST P‐384 or NIST

P‐521 elliptic curve.

Reference Baseline Requirements Documents (SSL/TLS Server Certificates)

For ECDSA key pairs, the CA SHALL:

- Ensure that the key represents a valid point on the NIST P‐256, NIST P‐384 or NIST P‐521 elliptic curve.

**7.1.3.1.2 ECDSA**

The CA SHALL indicate an ECDSA key using the id‐ecPublicKey (OID: 1.2.840.10045.2.1)

algorithm identifier. The parameters MUST use the namedCurve encoding.

- For P‐256 keys, the namedCurve MUST be secp256r1 (OID: 1.2.840.10045.3.1.7).
- For P‐384 keys, the namedCurve MUST be secp384r1 (OID: 1.3.132.0.34).
- For P‐521 keys, the namedCurve MUST be secp521r1 (OID: 1.3.132.0.35).

When encoded, the AlgorithmIdentifier for ECDSA keys MUST be byte‐for‐byte

identical with the following hex‐encoded bytes: - For P‐256 keys, 301306072a8648ce3d020106082a8648ce3d030107.
- For P‐384 keys, 301006072a8648ce3d020106052b81040022.
- For P‐521 keys, 301006072a8648ce3d020106052b81040023.

Now the **Cipher Suites** seem to have greater flexibility as shown by SSL Report: hp-67.com in the *Handshake Simulation* section. You will note that **ECDH x25519** is being used with some of the simulated clients.

So there is more than meets the eye on selecting elliptic-curves and more than one choice to be made for TLS(SSL). Certificates are only one of the pieces that has a choice and it is presently limited to 3, other area (Cipher Suites) have more choices and at least 1 Safe Curve is available from a practical point.