> Will this be a problem for low-end phones? Why not ECC certificates?

That's a great suggestion, thank you. I chose to use RSA because it has excellent browser support and I don't know how good the browser support for ECC is. If anyone has any useful links/info on this I'd appreciate it very much. Note that you can of course generate and use whatever sort of key/cert pair you'd like.

https://www.ssllabs.com/ssltest/clients.html is a good resource. For reference, the clients listed there that don't support ECDSA are: Android 2.3.7, IE 6 / XP, IE 8 / XP, Java 6u45, and OpenSSL 0.9.8y.

I believe CloudFlare's free "Universal SSL" uses ECDSA. Support isn't, um, universal, but it seems to be widespread enough among modern clients.

Clients supporting ECDSA certificates advertise it via a TLS extension - some server software can actually serve up a RSA or ECDSA certificate depending on what the client claims to support.