What you need to know to migrate from 1024-bit to 2048-bit encryption

I hope by now that you are aware that the Certificate Authority/Browser Forum has mandated that Certificate Authorities stop supporting 1024-bit key length RSA certificates for both SSL and code signing by the end of this year (2013). To learn more about these changes please read the CA/Browser Forum’s paper on the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates

What do you need to do?

Any Symantec customers with certificates expiring this year (2013) will need to renew by generating a Certificate Signing Request (CSR) of 2048 bits or higher. Any Symantec customers with certificates expiring in 2014 or later will need to replace and upgrade all 1024-bit certificates with 2048-bit RSA/DSA or 256-bit ECC certificates by 1st October 2013. All existing 1024-bit certificates will be discontinued industry-wide in the new year (2014). This is in compliance with NIST Special Publication 800-131A you can read more about the changes here

To make this transition as easy as possible here are a few helpful resources:

Check your certificate’s encryption strength

Determine the key-length of your certificates

How to generate a new CSR

We have several tutorials that show you how to generate a CSR:

You can check and validate your CSR using this tool

How to Install a Certificate

We have several tutorials that show you how to install a SSL Certificate:

If you have a Microsoft IIS 6.0 or 7.0 server running .NET 2.0 or higher, or a Red Hat servers our SSL Assistant will help you automatically generate your new 2048-bit CSR and later install it

Additional Resources

FAQ: Ending support for 1024-bit certificates

Support: Get technical support for 1024-bit transition

Leave a Reply