FAQ - Guidance on Digital Certificates with 1024 Bit Keys

FAQ - Guidance on Digital Certificates with 1024 Bit Keys

    • What are the latest guidelines regarding 1024 vs 2048 bit certificates?

A few years back, CAs were already advised by the NIST (National Institute of Standards & Technology) to deprecate signing Digital Certificates that contained RSA Public Keys of 1024 bits after 31st December 2010 and to cease signing completely by 31st December 2013.

These recommendations have been incorporated into the Baseline Requirements by the CA/B Forum. The 31st of December 2013 is now a cut-off date for 1024 issuance across all CAs.

    • Is GlobalSign compliant with the new requirements?

Back in 1998 GlobalSign had the foresight to create a 2048 bit Root Certificate and therefore a full 2048 bit hierarchy of services including issuing CAs, CRLs and OCSP responders. We also mandated a stronger security level than the NIST Guidance ahead of the industry norm by no longer accepting 1024 bit Certificate Signing Requests (CSRs) from 1st January 2011.

Hence the majority of our customers moved towards 2048 bit best practice well ahead of schedule and would have enjoyed almost three years of higher security levels compared to CAs that have continued to issue up to the deadline.

    • Are 1024 bit Certificates more vulnerable?

In the last 10 years, computational power has grown at an exponential rate. As the chance of factoring all possible 1024 bit RSA keys increases, there is a potential of total redundancy of 1024 bit key certificates across the board.

    • How can I check if my certificate has an encryption key of 1024 bit?

You can verify the key length of your SSL Certificate by simply entering your domain in our SSL Configuration Checker Tool. This works for any SSL Certificate issued from GlobalSign or alternative SSL providers so you can find out in seconds if your website needs upgrading.



    • How do I migrate to 2048 bit?

All customers that have certificates with an encryption key of 1024 bit need to upgrade to 2048 bit encryption. Certificates that are not upgraded will be revoked on the 30th of November 2013. GlobalSign will be contacting you in the coming weeks and will assist you to smoothly upgrade with minimal impact and in most cases zero cost, as upgrades are free.

GlobalSign will be contacting you in the coming weeks and will assist you to smoothly upgrade with minimal impact and in most cases zero cost, as upgrades are free.

    • What will happen to my 1024 bit certificate if I don’t upgrade?

For best security practice, GlobalSign will revoke all 1024 bit certificates on the 30th of November 2013, therefore we recommend you upgrade to 2048 bit security as soon as possible. To upgrade you simply need to reissue your certificate which is free and can be done in a few easy steps. If you do not reissue your certificate before the revocation date you will need to reorder a brand new certificate.

    • What is the CA/B Forum?

The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading Certification Authorities (CAs) and vendors of Internet browser software and other applications that define industry-wide standards for the issuance and management of SSL/TLS Digital Certificates.

    • What is the NIST?

NIST stands for “National Institute of Standard and Technology and is a US federal agency. Its mission is broad - to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.