diff --git a/releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml b/releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml
new file mode 100644
index 0000000000..5fc316bdb8
--- /dev/null
+++ b/releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    As the version of cirros used in OpenStack CI does not support SHA-2
+    signatures for ssh, any connection from a FIPS enabled machine will fail
+    in case validation.ssh_key_type is set to rsa (the default until now).
+    Using ecdsa keys helps us avoid the mentioned issue.
+    From now on, the validation.ssh_key_type option will be set to ecdsa
+    by default for testing simplicity.
+    This change shouldn't have any drastic effect on any tempest consumer,
+    in case rsa ssh type is required in a consumer's scenario,
+    validation.ssh_key_type can be overridden to rsa.
diff --git a/tempest/config.py b/tempest/config.py
index b4d489163c..75c73c738f 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -974,7 +974,7 @@ ValidationGroup = [
                help="Network used for SSH connections. Ignored if "
                     "connect_method=floating."),
     cfg.StrOpt('ssh_key_type',
-               default='rsa',
+               default='ecdsa',
                help='Type of key to use for ssh connections. '
                     'Valid types are rsa, ecdsa'),
 ]