2048 bit Key Requirements for 2014
Guidance on Digital Certificates with 1024 bit keys (including SSL Certificates) circa 2010
In accordance with guidance from the National Institute of Standards and Technology (NIST) Certificate Authorities (CAs) were advised to follow the recommendations published initially in advisory 800-57 and later 800-131A. CA’s were advised to deprecate signing Digital Certificates that contained RSA Public Keys of 1024 bits after 31st December 2010 and cease signing completely by 31st December 2013 (Table 2, Section 3 of 800-131A). At the time, a general consensus was that previously issued, long lived certificates expiring after the 31st December 2013 should be dealt with nearer to the deadline.
As a forward thinking Certificate Authority with an SSL Mission “To improve how CAs deploy SSL and end users rely on SSL”, GlobalSign helped its customers stay protected and benefit from the highest levels of security available, by mandating a stronger security level than the NIST Guidance and therefore ahead of the industry norm. From 1st January 2011, GlobalSign introduced RSA key size requirements to no longer accept 1024 bit Certificate Signing Requests (CSRs). This thinking was aligned with the decision, back in 1998, to create a 2048 bit Root Certificate and therefore a full 2048 bit hierarchy of services including issuing CAs, CRLs and OCSP responders.
Guidance on Digital Certificates with 1024 bit keys three years on
In 2012 the NIST recommendations were adopted by the CA/Browser Forum by incorporating the 31st December 2013 date into Appendix A of the Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates. Certificate Authorities were subsequently instructed by Browser root programs, such as the Mozilla CA Certificate Policy program, to discontinue signing certificates with 1024 bit RSA keys by the deadline. In some cases, GlobalSign’s customer base enjoyed almost 3 years of higher security levels compared to CAs that have continued to issue up to the deadline. Over the next few years where the chances of factoring 1024 RSA primes increases, there is a potential of a successful MITM (Man in the Middle) attack on long lived operational certificates used for live transactions, or data that may have been captured by a third party for future decryption as detailed in press items from June 2013 concerning PRISM.
Impact to GlobalSign customers using 1024 bit keys three years on
In order to comply with and to remain one step ahead of these upcoming industry requirements, GlobalSign has made the decision to formally revoke all 1024 bit Certificates still in use after 30th November 2013.
If you are one of those customers then it’s time to upgrade. Although you have a 1024 bit certificate that was issued prior to January 1st 2011 and does not expire until after 31st December 2013 (i.e. a 4 or 5 year certificate), you will need to upgrade to 2048 bit key length as soon as possible before 30th November 2013. The process is easy and you simply need to reissue your existing certificate. Please note that if you do not reissue your existing certificate you will need to reorder a new one after this date. GlobalSign will be contacting you shortly and will assist you to smoothly upgrade with minimal impact and in most cases at zero cost, as upgrades are free.
In the meantime if you are unsure which key strength your existing certificate is, why not check it using our SSL Configuration Checker Tool at https://sslcheck.globalsign.com/en_GB
If you require more in-depth information please do not hesitate to contact us.