I hope by now that you are aware that the Certificate Authority/Browser Forum has mandated that Certificate Authorities stop supporting 1024-bit key length RSA certificates for both SSL and code signing by the end of this year (2013). To learn more about these changes please read the CA/Browser Forum’s paper on the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
What do you need to do?
Any Symantec customers with certificates expiring this year (2013) will need to renew by generating a Certificate Signing Request (CSR) of 2048 bits or higher. Any Symantec customers with certificates expiring in 2014 or later will need to replace and upgrade all 1024-bit certificates with 2048-bit RSA/DSA or 256-bit ECC certificates by 1st October 2013. All existing 1024-bit certificates will be discontinued industry-wide in the new year (2014). This is in compliance with NIST Special Publication 800-131A you can read more about the changes here
To make this transition as easy as possible here are a few helpful resources:
Check your certificate’s encryption strength
Determine the key-length of your certificates
How to generate a new CSR
We have several tutorials that show you how to generate a CSR:
- For a Microsoft IIS 5/ server
- For a Microsoft IIS7 server
- For an Apache server
- For a Microsoft Exchange server
You can check and validate your CSR using this tool
We have several tutorials that show you how to install a SSL Certificate:
- For a Microsoft IIS 5/ server
- For a Microsoft IIS7 server
- For an Apache server
- For a Microsoft Exchange server
If you have a Microsoft IIS 6.0 or 7.0 server running .NET 2.0 or higher, or a Red Hat servers our SSL Assistant will help you automatically generate your new 2048-bit CSR and later install it
Additional Resources