ECDSA证书可以具有RSA签名吗？

证书的签名是由颁发者使用颁发者的密钥创建的。因此，如果证书A内部有一个ECC密钥（即ECDSA证书），但颁发者B有一个RSA密钥，则A的签名将是RSA签名，因为这是颁发者用于签名的密钥。
例如，在facebook.com的情况下，证书本身具有ECC密钥，但发行方证书DigiCert SHA2 High Assurance Server CA具有RSA密钥。因为颁发者使用颁发者的密钥对facebook证书进行签名，所以必须使用RSA。

Steffen的回答对于X.509标准和许多基于标准SSL库的浏览器是正确的。然而，在这个现实世界中，我发现一些设备在TLS 1.2协商中拒绝具有RSA签名的ECDSA证书。

我认为原因是设备作者遵循了RFC-4492（**为我的注释）。

2.2.  ECDHE_ECDSA
In ECDHE_ECDSA, the server's certificate **MUST** contain an ECDSA-
capable public key and **be signed with ECDSA.**

The server sends its ephemeral ECDH public key and a specification of
the corresponding curve in the ServerKeyExchange message.  These
parameters MUST be signed with ECDSA using the private key
corresponding to the public key in the server's Certificate.

尽管RFC-5246、TLS1.2放宽了这个限制。（**是我的）：

7.4.4.  Certificate Request
...
If the client provided a "signature_algorithms" extension, then all
certificates provided by the server MUST be signed by a
hash/signature algorithm pair that appears in that extension. **Note
that this implies that a certificate containing a key for one
signature algorithm MAY be signed using a different signature
algorithm (for instance, an RSA key signed with a DSA key).  This is
a departure from TLS 1.1, which required that the algorithms be the
same.**  Note that this also implies that the DH_DSS, DH_RSA,
ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the
algorithm used to sign the certificate.  Fixed DH certificates MAY be
signed with any hash/signature algorithm pair appearing in the
extension.  The names DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are
historical.

因此，请注意这样的设备存在。