How to Manage the 1024-bit SSL Certificate Migration

Migrating certificates during a major key size migration can be difficult at best. I’m going to give you some background, share a great video we have produced, as well as share seven steps to aid in this migration.

Background – Key Sizes Change with Time

Since the RSA algorithm was first publically described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman, 17 key sizes have been factored (hacked).  So far the highest key size that was factored was RSA 768-bit in 2009.  As cloud computing grows so does the threat that RSA 1024-bit will be factored as well. 

Industry Response – Bring 1024-bit Certificate to End-of-Life

In order to be proactive, Certification Authorities (CAs) have been tasked to bring these certificates to end-of-life by the end of 2013.  An end date of December 31, 2013 was listed by NIST (The National Institute of Standards and Technology) and later adopted and mandated by the CA/Browser Forum.  End-users of 1024-bit certificates have been migrating to stronger key sizes (2048-bit RSA or 256-bit ECC) since 2010 but this year is the final push.

Not Sure What’s Going On? – Watch the Video

The video carousel allows you select the questions you have and watch the portions that interest you the most.  Alternatively you can watch a full non-stop version that will speak to each issue in less than 11 minutes.

Do you need to watch this video?  Let me ask you three random questions; if you know the answers then I might want to skip over it.

  1. What happens if I don’t replace my certificate?
  2. When will my certificates be impacted?
  3. What can I do about the performance impact of 2048?

What You Need to Do – Test, Search, ID, Generate, Revoke, Install, and Test

No matter where an end-user is within the process Symantec has developed a 1024-bit Migration Information webpage to assist in the process.  The highlight of the information is the 1024-bit Migration Video Carousel which allows you to hunt for any question you have to receive an immediate video response.  Here are the seven steps end-users need to conduct in the migration.

  1. Test your system to ensure it can handle a 2048-bit RSA.  You can download a trial certificate here.
  2. Find all the certificates within your environment.  If you have a large organization make sure you have a tool that can find and manage these certificates.  Symantec Certificate Intelligence Center can do this and even automate Symantec SSL Certificate management as well.
  3. Identify the validity period of the certificate.  Does it expire in 2013?  Don’t worry; just renew it when it’s time.  Does it expire in 2014 or later?  If so keep reading.
  4. When renewing or replacing a certificate generate a Certificate Signing Request (CSR) for a 2048-bit RSA or 256-bit ECC key length.  Use this page if you need help.
  5. Revoke and replace any certificates expiring after 2013 before your Certification Authority (CA) plans on revoking them this year.  Don’t let them surprise you in the middle of the holiday shopping season or on New Year’s Eve. 
  6. Once your new certificate has been issued please install the end-entity certificate and any additional intermediate certificates.  With so many different servers within the ecosystem there are different methods to install SSL certificates.  No problem… check out this page for instructions and install videos.
  7. Test your website or link to ensure you have a safe and encrypted connection.  This test utility works well.

We at Symantec wish you well during this time of transition and migration.  Please visit our 1024-bit information webpage for every resource we have available on the subject. 

Leave a Reply